We are tracking the growing number of mobile applications targeted by the emerging Alien Mobile Banking Trojan. A fork of Cerberus, Alien continues to bypass Google’s malware detection and is expanding its reach across a wide range of financial and non-financial apps. To date, Alien has been linked to 87 brands that were not previously targeted by Cerberus.
Cerberus versus Alien Brands Targeted
Prior to its decline, Cerberus operators dominated the mobile malware landscape both in functionality and attacks. Cerberus was a malware-as-a-service (MaaS) and targeted 139 known brands during its life.
Since January 2020, Alien has been observed targeting 226 different brands. Alien's high volume of targets may be attributed to its adoption by a growing number of threat actors eager to take advantage of desirable enhancements that increase the success of executing fraud. It also uses a MaaS approach with built-in features that can achieve a wide range of objectives.
Specifically, Alien has capabilities not previously seen with Cerberus, such as the ability to install and navigate Android's TeamViewer. Using TeamViewer gives the operator full remote-control access to the infected device, as well as the ability to change device settings, interact with applications, and monitor user behavior.
Alien authors have also incorporated a notification sniffer that allows access to all new updates on infected devices. This includes the ability to steal tokens from Google's Authenticator application, enabling actors to bypass two-factor authentication security measures.
Alien does possess the features originally associated with Cerberus, including keylogging, SMS harvesting, and dynamic overlays.
Financial Institutions versus Non-Financials Targeted by Alien
Notably, we continue to observe Alien being used to target an increasing number of non-financial institutions compared to other mobile and desktop malware. This approach boosts the effectiveness of Alien distribution by taking advantage of how individuals may be less vigilant when interacting with non-financial applications not traditionally associated with fraud.
While there is inherent value in capturing email credentials, Alien operators are using custom overlays with dynamic targeting to increasingly capture financial credentials from non-financial apps. Operators are able to pick their desired targets from a list of installed apps sent by the infected device, then supplant the actual application on the screen with an overlay. This overlay is customized HTML code that resembles the target app and elicits payment or identity verification from the victim.
Below is an example of Alien operators impersonating a popular video streaming service to steal both email and credit card information.
Fake Customer Login Page
Fake Credit Card Entry
Alien's enhanced features and broader targeting capabilities appear to be making it the mobile MaaS of choice for threat actors. As long as it continues to evade Android's security controls, we expect adoption of Alien to continue increasing.
Fortra Brand Protection helps organizations protect against mobile malware threats such as Alien. Learn more about Digital Risk Protection solutions.
Off