Palo Alto Networks research team’s security researchers have discovered 22 Android apps that belong to a new Xbot Trojan family which bundles ransomware and spyware functionality.
“This Trojan, which is still under development and regularly updated, is already capable of multiple malicious behaviors. It tries to steal victim’s banking credentials and credit card information via phishing pages crafted to mimic Google Play’s payment interface as well as the login pages of 7 different banking apps. It can also remotely lock infected Android devices, encrypt the user’s files in external storage (e.g., SD card), and then ask for a U.S. $100 PayPal cash card as ransom.” Resrearchers said.
The trojan uses a popular attack technique called “activity hijacking” by utilising some features in Android.
In one of the types of attacks, Xbot monitors the app a user has launched and if it is an online banking app, Xbot intervenes and displays an interface that overrides the real app interface and fools the user to enter his/her credentials in that interface, which will then be sent to their command and control server.
It also brings up an interface through the WebView, which displays that the device has been locked with cryptolocker, and then encrypts the user files on the device’s external storage and asks US $100 to be paid via PayPal site for the decryption key.
So what are your chances of getting infected by this trojan?
“While Android users running version 5.0 or later are so far protected from some of Xbot’s malicious behaviors, all users are vulnerable to at least some of its capabilities. As the author appears to be putting considerable time and effort into making this Trojan more sophisticated and harder to detect, it’s likely that its ability to infect users and remain hidden will only grow, and that the attacker will expand its target base to other regions around the world.” researchers warned.
Though at least for now, it mainly appears to target Android users in Russia and Australia.