A new strain of Android malware with the ability to steal user credentials from 226 different applications among other advanced capabilities has been discovered in the wild and analyzed by security researchers.

The security firm ThreatFabric has released a new report in which it goes into depth concerning the trojan, named Alien, that has been active since the beginning of this year and can be purchased as a Malware-as-a-Service (MaaS) on hacker forums on the dark web.

While Alien is a new strain of malware that can infect Android smartphones, it is actually based on source code from the Cerberus trojan that was created by a rival malware gang. Cerberus was quite active last year before Google's security team found a way to detect and clean devices infected with it earlier this year. 

After trying to unsuccessfully auction off its codebase and customerbase, Cerberus' creator ended up giving it away for free by publishing the trojan's source code on an underground forum.

• We've put together a list of the best antivirus software
• Protect your privacy online with one of the best VPN services
• Also check out our roundup of the best malware removal software

Although Alien is based on an older version of Cerberus, the detection methods used by Google's security team don't seem to work on the new strain of Android malware and this has led it to become increasingly popular among cybercriminals.

Advanced capabilities

In its new report, ThreatFabric provided further details on the capabilities of the Alien malware, saying:

“The Alien malware is a rented banking Trojan which offers more than the average capabilities of Android banking Trojans. It has common capabilities such as overlay attacks, control and steal SMS messages and harvest the contact list. It can leverage its keylogger for any use and therefore broaden the attack scope further than its target list. It also offers the possibility to install, start and remove applications from the infected device. Most importantly, it offers a notifications sniffer, allowing it to get the content of all notifications on the infected device, and a RAT (Remote Access Trojan) feature.”

According to the firm's researchers, Alien's advanced capabilities are mostly used for fraud as the malware can harvest, send and forward SMS messages as well as steal 2FA codes and a user's contacts list. The malware can also be used to show fake login pages for 226 Android apps which allows it to easily steal banking credentials from infected devices. Most of the banking apps targeted by Alien's creators belonged to banks in Spain, Turkey, Germany, the US, Italy, France, Poland, Australia and the UK.

Alien is distributed using a variety of methods including phishing sites, fake apps and even by SMS. To prevent having your devices infected with this new malware strain, ThreatFabric recommends that users avoid downloading and installing Android apps from unofficial sources.

• We've also highlighted the best Android antivirus apps

Via ZDNet