Palo Alto Networks has announced the discovery of the Xbot Trojan; a new mobile security threat targeting users of Android Smartphones. Not only will the malware steal banking usernames and passwords, but it can also lock users’ devices and demand a ransom to unlock them. The new family of dual action malware acts as both a Trojan and ransomware, and is a double whammy for anyone who inadvertently downloads it to their Android phone.

Xbot Trojan Family Capable of Multiple Acts of Maliciousness

The new Xbot Trojan, which is believed to be of Russian origin, is capable of phishing for bank account information, targeting specific banking apps and conducting phishing attacks on users of Google Play. It displays fake notifications using the Google Play logo asking users to add in payment information, mimicking that used by the official Google Play app.

Clicking on the notification will download a webpage asking users to enter their credit card number, expiry date, CVV number as well as the name of the card holder, their registered address, phone number, and a verified by via number or Mastercard SecureCode. The Xbot Trojan is also capable of intercepting two-factor authorization SMS messages.

So far, Palo Alto has discovered fake webpages used by the malware to target customers of 7 different Australian banks, with the login interfaces closely mimicking those used by the legitimate apps. Users are asked to enter in their ID numbers and passwords. The malware does not compromise the legitimite banking apps, only mimics their interfaces.

The C2 contacted by the malware can decide which faked app webpage to display, so it could easily be adapted to target other banks in other countries.

Additionally, the Xbot Trojan is capable of encrypting the device on which it is installed. It displays an interface using WebView suggesting the device has been locked with CryptoLocker, and demands a ransom of $100 to unlock the device. The ransom must be paid via PayPal MoneyCash Card within 5 days.

While the interface says that the user has no alternative but to pay the ransom to unlock the encrypted files, the encryption used is not particularly robust and files could potentially be recovered without paying the ransom.

The Xbot Trojan is also an information stealer and can collect and exfiltrate phone contacts to its C2 server. It can also intercept all SMS messages that are sent following its installation.

Xbot Trojan is the Latest Incarnation of Aulrin?

The Xbot Trojan uses activity hijacking, which is the launching of a malicious activity instead of the intended one when a user attempts to open an app. While the user will believe they are using the correct application, such as a banking app, they will actually just be handing over their banking credentials to the hackers behind the malware. So far, Palo Alto has discovered 22 Android apps in the new Xbot Trojan family.

Palo Alto researchers believe the malware is a successor to the Aulrin Trojan, which first appeared in 2014. While both Trojans contain some of the same resource files, and have similar code structures, their modes of action differ. Aulrin used the .NET framework and Lua, whereas the Xbot Trojan uses Javascript via Mozilla’s Rhino framework. Palo Alto researchers believe that the Aulrin malware was simply rewritten in a different language.

The first samples of the malware appeared in late spring last year, but since then new variants have appeared that are increasing in complexity, making them harder to detect.

The good news, unless you live in Russia or Australia, is the infections have so far been confined to those countries. The bad news is that the malware’s flexible infrastructure means it could very easily be adapted to target other Android apps.