3-in-1 Android malware acts as ransomware, banking Trojan and infostealer

Why stop at asking ransom for encrypted files when you can also steal personal info, passwords, online banking credentials and credit card details, and then sell it or use it to get even more money?

Palo Alto researchers have recently analyzed Xbot, a Trojan that is capable of doing all the aforementioned things, and have found it mimicking 22 different Android apps.

Xbot is a threat that they believe evolved from the old Aulrin Android Trojan – they have similar code structures and behaviors, and share some files. The researchers believe that the two Trojans have the same author.

They still don’t know how Xbot spreads in the wild, but once it’s on a target’s phone, it contacts its C&C server for instructions on what to do.

“When certain commands are received it will launch phishing attacks at users of Google Play and certain Australian bank apps. We observed three different phishing approaches and one use of activity hijacking,” they researchers shared.

Android malware

The Trojan is after credit card details, the target’s billing address and phone number, online banking credentials, bank account numbers, passwords, and security tokens. Once information is entered in the phishing pages and fake banking app interfaces, it is sent to the C&C server.

The same fate awaits the victims’ phone book, and received SMS messages – they are exfiltrated to the C&C server.

Finally, if Xbot has been authorized as a device administrator by the victim after it was initially installed, and gets the right order from the C&C server, it will switch the phone to silent mode, reset its password, display a ransom note (webpage via WebView), and make so that it can’t be easily removed from the screen.

The malware does encrypt files, but it does so by simply XORing each byte in all files by the fixed integer number 50. That means that the malware’s claims that the files can’t be decrypted without paying the ransom and receiving the decryption key is not true.

“While Android users running version 5.0 or later are so far protected from some of Xbot’s malicious behaviors, all users are vulnerable to at least some of its capabilities. As the author appears to be putting considerable time and effort into making this Trojan more complex and harder to detect, it’s likely that its ability to infect users and remain hidden will only grow, and that the attacker will expand its target base to other regions around the world,” the researchers concluded.