Security experts have discovered that a new threat has appeared on the hacker underground markets called the Red Alert 2.0 Android Trojan. It is an updated version of a previous virus made for the mobile operating system which can cause significant damage to the infected hosts.
Red Alert 2.0 Android Trojan For Sale
Recently security researchers discovered a dangerous attack campaign carrying a sophisticated Android Trojan, the subsequent analysis reveals that it is a new version of a previous known threat. The new virus is called the Red Alert 2.0 Android Trojan and its main delivery technique at the moment seems to be the use of email SPAM messages. The hacker operators utilize social engineering tactics in order to persuade the intended victims into downloading and running the instances. They may be either directly attached or hyperlinked in the body contents.
The analysis reveals that various versions of it are being offered on the hacker underground markets for a monthly access prise of $500. The fact that we are already seeing attacks carrying it shows that the hackers on both sides (the creators and the clients) are actively using it as a formidable weapon against individual users, companies and even government facilities. The performed security analysis confirms that that it is an original creation and does not share any code with any of the other famous Android Trojan instances.
It appears that the Android Trojan targets mainly banking users located in countries like such as: Australia, Austria, Canada, Czech Republic, Poland, Denmark, Germany, France, Lithuania, India, Italy, Ireland, Japan, New Zealand, Romania, Spain, Sweden, Turkey, United Kingdom, and the United States.
Red Alert 2.0 Android Trojan Capabilities
Upon execution the main infection engine is engaged with the task of preparing the host devices for a deep infection. This is done by first starting a data harvesting component that creates a complete hardware profile of the victim devices and can also expose the victim’s identity. This is made by harvesting strings such as their name, address, location, interests, passwords and account credentials.
The virus can perform a variety of dangerous actions such as the disruption of calls, messages and certain application functions. One of the most important modules it possesses is the ability to create a secure connection to a hacker-controlled server. It is used to receive instructions from the criminals, harvest the data or deploy additional threats.
The malware engine targets popular payment services and mobile apps that are widely used by the users. Some of the Trojan components are the following:
- WatchDogService — sets timers to ensure that malware is running periodically.
- ControlService registers the device bot, as well as starting up the ReadCommandThread: waits for instructions from the C&C server.
- Ensures that device is connected to the C&C server
- BootReceiver — ensures all functionality is up and running when machine is rebooted. This boot receiver ensures that the watchdog service is run every 10 secs or 30 secs depending on the version of the OS.
- SmsReceiver — intercepts SMS messages.
The hacker operators can use a web graphical user interface in order to control the infected hosts. It allows the hacker operators to selectively take over control of individual devices or generate reports about their attack campaigns. The Red Alert 2.0 Android Trojan can be used to perform most banking attacks by downloading signatures of banking apps and creating overlays on top of the regular user-installed apps. This allows the criminals to obtain the victim account credentials. If configured so the malicious code can intercept two-factor authentication messages. The banking Trojan can also modify the destination addresses of transactions and cryptocurrency wallet operations.
We expect more hacker groups to leverage it against users worldwide. At the moment not all security software can detect the current versions.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: