A new Android malware going by the name Alien has been discovered and analyzed by security researchers. Discovered by ThreatFabric, who have subsequently released a report detailing their discovery, one of the standout features of the trojan is its ability to steal the credentials from 226 different apps. According to the report, the malware has been active since the start of this year and has been offered as a Malware-as-a-Service (MaaS) on underground hacking forums. This has led to comparisons to Cerberus and Alien been the former’s replacement for the king of the Android hill. There is more to mere comparisons with Cerberus, however, more on that later.
This year alone ThreatFabric has discovered several new Android trojans, all seemingly created with financial motives in mind. Fortunately, not all those discovered turned out to be successful and some have dropped off the map entirely. Whether Alien will join the unsuccessful pile is unknown but given the malware’s rich feature set it would not be wise to bet against it. When it was initially discovered by an analyst it was initially mistaken for another version Cerberus, however, a discovery of a post on an underground hacker forum announcing the development of a new Android malware was an indication of a new malware. Analyzing the samples received, Alien appeared to form part of a new breed of trojans targeting Android devices.
This new breed can be seen as banking trojans that have added remote-access capabilities to their code, making them a hybrid of a banking trojan designed to steal banking credentials and a remote-access trojan.
This allows Alien not only to steal credentials but by having access to the infected device it can actively use those stolen credentials for financial gain. According to security researchers, the malware boasts the following features:
- Overlaying: Dynamic (Local injects obtained from C2)
- Remote access
- SMS harvesting: SMS listing
- SMS harvesting: SMS forwarding
- Device info collection
- Contact list collection
- Application listing
- Location collection
- Overlaying: Targets list update
- SMS: Sending
- Calls: USSD request making
- Calls: Call forwarding
- Remote actions: App installing
- Remote actions: App starting
- Remote actions: App removal
- Remote actions: Showing arbitrary web pages
- Remote actions: Screen-locking
- Notifications: Push notifications
- C2 Resilience: Auxiliary C2 list
- Self-protection: Hiding the App icon
- Self-protection: Preventing removal
- Self-protection: Emulation-detection
- Architecture: Modular
Most of the above feature set has been used for fraud campaigns and other related financial crimes. This appears to be the current trend dominating Android malware currently, with attackers targeting online accounts for financial gain. Of the above mentioned 226 apps targeted by Alien, most come bundled with fake login pages for banking and other financial orientated apps. However, the malware will also target email, social media, instant messaging, and cryptocurrency apps. The majority of financial institutions targeted are based mostly in Spain, Turkey, Germany, the US, Italy, France, Poland, Australia, and the UK. In concluding the reports researchers stated,
“In the case of Alien, advanced features such as the authenticator-code stealer and notifications-sniffer aside, the features of the Trojan are quite common. As for many Trojans, the target list can be extended dynamically by the renter and applied to all bots enrolled in the botnet. The targeted applications in the appendix of the article are the concatenated list of targets observed in samples found in the wild, growing to over 226 targeted applications so far.
Although it is hard to predict the next steps of the Alien authors, it would be logical for them to improve the RAT, which is currently based on TeamViewer (and therefore visible when installed and executed on the device). They could also build an ATS feature to automate the fraud process. What can be considered for granted is that the number of new banking Trojans will only continue growing, many embedding new and improved features to increase the success rate of fraud.”
Link to Cerberus
The last time this publication covered Cerberus related news was in July 2020, when a version of the malware was hidden in a currency converter. At the time security researchers noted how quickly the malware had become one of the more serious threats facing Android users. This was done in little over a year, Cerberus being discovered in June 2019, and can be attributed to the quick adoption of MaaS tactics. Alien has learned this lesson well as it provides security researchers with the added task of analyzing how the malware is delivered. As it is often the hackers who rent the malware who will distribute it they will use whatever method they believe is best. This means that a wide variety of delivery methods can be used making defending against an attack harder.
Despite Cerberus’ dramatic rise by August the malware was dead. The death can be attributed to several things including the malware’s flawed architecture, technical limitations of the support staff, and technical issues with the malware itself. These issues were not solved which enabled Google Play Protect to detect all known samples of the malware. This in turn would have left the majority of the malware's customers incredibly unhappy. For the developers behind Cerberus, the writing was on the wall and they attempted to sell the malware along with the customer portfolio for 100,000 USD.
The sale of the malware was attempted via an auction styled sale but turned out to be a dismal failure and the malware’s author publically released the source code to whoever wanted to start their own MaaS company targeting Android devices. It was this public release of the source code that meant Cerberus would live on in other malware designs. Alien is proof of this. Further, researchers still occasionally detect Cerberus campaigns but given how easily Google Play Protect can detect the malware these are ultimately doomed to have minimum impact on the targeted Android user base.
As mentioned above, Alien’s similarities to Cerberus led it to be initially believed to be another version of Cerberus upon discovery. Other than some refactoring of Alien’s architecture remained fundamentally the same as Cerberus. It was only until a forum post advertising a new Android trojan emerged that researchers knew they were dealing with a new piece of malware despite leaning heavily on Cerberus's codebase. There is an overlap in time between Cerberus’s death and Alien’s birth suggesting that Cerberus developers may be behind Alien. Researchers noted,
“Looking at what we know now about what happened with Cerberus and Alien, we could speculate that Cerberus was on the decline as the developers behind the Trojan shifted away from the project with the original source in order to start their own. Interestingly enough, this speculation is corroborated by the fact that when the second version of Cerberus (v2) was released in May 2020, it did not introduce any major new features, except for the one to steal 2FA codes from Google’s authenticator app. The code of that feature code is almost identical to that introduced with the Alien Trojan in February 2020. This indicates that at that time, the developer behind the Cerberus Trojan had access to, and might have been responsible for development of the Alien code.”
While Alien is based on Cerberus there are several differences. For one the command and control server protocols are different but the most striking difference is the remote access module found in Alien. Once the trojan is installed but not active TeamViewer is installed. TeamViewer is a legitimate tool used by organizations to grant IT department’s remote access to machines on the network, hackers have subverted this use to gain access to vulnerable machines to either drop other strains of malware or take control of the device. For the traditional banking trojan, the ability to open and close banking apps on the victim’s device as well as determine user behavior can be seen by attackers as a way to make easy money.
Despite Cerberus' quick rise to prominence amongst Android malware and trojans, its ultimate failure will be what it is remembered for. This failure and subsequent release of the source code does mean that it will leave a heritage of copy cats. In the case of Alien, it has potentially given rise to a new breed of Android malware that has learned from the failures of the past to ultimately produce a scarier malware capable of doing more damage than its predecessor. The addition of remote access capabilities should be concerning and should be a reminder to Android users not to download apps from suspicious, unofficial app stores.