New Mobile Banking Trojan Can Infect Millions of Android Users

Banking Trojans have regained a lot of their past popularity over the past few months. While these tools have been around for several years now, they are once again becoming commonplace. A new Android banking Trojan was discovered not too long ago. This malware goes by the name of Red Alert 2.0 and is currently part of a growing distribution campaign.

Red Alert 2.0 is a new Android Banking Trojan

The mobile ecosystem is fast becoming the new playground of cybercriminals these days. Whereas most malware was originally developed for computers and desktop operating systems, malware creations are slowly shifting to the mobile ecosystem. It is mainly the Android platform that is getting a lot of attention from banking Trojan developers these days.

With the discovery of Red Alert 2.0, it seems things have taken another turn for the worse. The malware was discovered by researchers from SfyLabs, who noticed advertisements for this Trojan on a Russian hacking forum. The latter point is not all that unusual, considering most malware is bought and sold on Russian hacking forums these days. It appears this malware is being distributed on a large scale.

Several Android apps have already been infected with this banking Trojan, and its command & control servers have been tracked down already. All of this hints at how Red Alert 2.0 will continue to be distributed over the coming weeks and months. All of the applications infected with this malware are distributed through third-party app stores, rather than the Google Play Store itself.

So far, no Red Alert 2.0-laden applications have made it onto the Play Store just yet, but that may change in the future. This new malware is pretty similar to older versions of banking Trojans. It will not become active until the infected victim visits a banking or social media application. Once he or she opens such an app, the Trojan will overlay an HTML-based version of the original app on the display. Users will need to authenticate again, which is when their login credentials are captured.

Once the developers or distributors successfully obtain users’ login credentials, they will try to make fraudulent transactions. It is also possible they will use social media credentials to post spam or distribute malicious software. Red Alert 2.0 is capable of collecting contact lists from infected devices, and it can both bypass 2FA and suppress notifications. All of this functionality has been part of previous iterations of banking Trojans in the past, so this new tool does not stand out in that regard.

However, the people selling this banking Trojan evidently feel it is worth US$500. That is quite the steep price, although the potential for higher returns is certainly there. The developer also claims that customers will receive new HTML overlays on a regular basis to increase their chances of success. More features may be added in the future as well, including VNC support and remote control features. The only upside is that the malware only works on older versions of Android, including Marshmallow.