Alien Malware

Security researchers have discovered a new strain of the Android Trojan malware. They dubbed the malware with the name Alien and managed to analyze its underlying code to understand better its behavior and how it functions. First, however, it must be noted that Alien malware is being offered as Malware-as-a-Service (MaaS) on underground hacker forums. As a result, a specific distribution method and attack vector couldn't be established, as they both depend on each hacker group's preferences. Still, it appears that the most common methods are through phishing pages that offer either fake Corona-related applications or fake software updates. Another utilized distribution method is through SMS - Alien collects the contact list of the infected device and uses it to spread its threatening campaign further. 

Alien Is Taking the Space Left by Cerberus

When looking at Alien's code, the infosec experts noticed that significant chunks of it resemble another malware that was offered as MaaS called Cerberus. Cerberus gained notoriety in 2019, but its operations underwent a rapid decline when Google managed to develop a way to both detect the malware and clean any device infected by it. When that happened, the hackers behind Cerberus decided to get as much money as possible and offered to sell the malware's code in an auction with the target goal of reaching $100 000. When that plan failed, Cerberus' source code was simply leaked online for free so that every cybercriminal now has access to it.

Although Alien appears to be based on an older Cerberus variant, it seems capable of carrying out its threatening activity without any problems. In fact, it is more sophisticated than its predecessor significantly and boasts having numerous new covert capabilities, as well as an expanded target list. 

Alien can Collect Credentials for Over 200 applications

At its core, the Alien Malware is a banking Trojan. It attempts to collect credentials for 226 applications by showing users fake login pages that collect usernames, passwords and other login details. Most of the applications were for e-commerce services and banks, but Alien also targets social media platforms such as Gmail, Facebook, Telegram, Twitter, Snapchat and WhatsApp. In addition, various cryptocurrency applications also were found to be included in the targets of this malware threat. Among the banking applications that Alien phished for, most were located in Spain, Turkey, Germany and the United States. The next three countries were Italy, France and Poland.

Apart from its data collection capabilities, such as overlaying content on top of other applications and logging keyboard inputs, Alien has been equipped with some nasty remote access functions. It can start a TeamViewer instance on the infected device, which gives the hackers expanded control of the targeted device. Keep in mind that the criminals may have already collected several of the user's login credentials that could be used in tandem with Alien's ability to both install and start other applications.

The vast number of functions performed by the malware threat also include collecting contact lists, collecting, reading, and sending SMS messages, compromising 2FA codes or start browser applications to open specific pages.

The Alien Malware is a potent Android Trojan threat that can cause severe damage once it infects a device. The best way to prevent it and keep yourself safe is to block the attack from happening by paying attention to the download sources of any application that you decide to install.