There’s a new Android Trojan circulating that has the ability to not only steal victims’ banking credentials and texts from banks, but also can lock infected devices, encrypt their contents, and hold them for ransom.
The Xbot malware is part of the growing sector of mobile ransomware, a threat that has plagued desktops for years. Ransomware is a broad category, but in general these pieces of malware are designed to either lock users’ machines or encrypt all of the files and demand some kind of payment in order to get them back. Some ransomware gangs have been very successful, bringing in millions of dollars a year from victims. Having proved their business model on PCs, some ransomware authors now have moved on to the mobile platform.
There have been several other examples of mobile ransomware in the last couple of years, but the Xbot malware has a highly flexible architecture and a variety of capabilities that set it apart. The two most significant threats to users are the information-stealing and ransom capabilities. Xbot has the ability to generate authentic-looking, but fake, login pages for a variety of banks, mainly in Australia at the moment.
“In some samples, Xbot will also intercept and parse specific SMS messages.”
“In the activity hijacking attack scenario, the faked app interfaces are also webpages downloaded from a C2 and displayed by WebView. So far we’ve found 7 different faked interfaces. We identified 6 of them – they’re imitating apps for some of the most popular banks in Australia. The interfaces are very similar to these banks’ official apps’ login interfaces. If a victim fills out the form, the bank account number, password, and security tokens will be sent to C2 server,” researchers from Palo Alto Networks wrote in an analysis of the Xbot malware.
The malware authors know that some banks have implemented additional security measures to protect against fraudulent transactions, so they have built in functionality to monitor incoming text messages. In some cases, banks will send texts with transaction authentication numbers to authenticate transactions. The Xbot malware has the ability to find and steal those.
“In some samples, Xbot will also intercept and parse specific SMS messages. It parses all SMS messages sent by a specific premium rate SMS short number in an attempt to collect the victim’s account and confirmation numbers from a bank in Russia, and then uploads the information to its C2 server,” the Palo Alto researchers said.
The ransomware capability in Xbot is not the most sophisticated, but it’s still worrisome for victims. The attackers behind the malware can send a remote command to an infected device to encrypt the phone’s contents, including any external storage, and display a message telling the user that the phone is encrypted. The encryption is very simple, but most victims likely wouldn’t have the technical expertise to know that or do anything about it. The malware demands a payment of $100 to unlock the phone.
Image from Flickr stream of Anonymous Account.