25 February 2016

Palo Alto Networks describes behaviour of XBot Android trojan

Palo Alto Networks has recently discovered 22 Android apps belonging to a new Trojan family called Xbot. This Android Trojan is regularly updated and is capable of multiple malicious behaviours.

Xbot tries to steal victims’ banking credentials and credit card details via phishing pages crafted to mimic Google Play’s payment interface as well as the login pages of seven different banks’ apps. In Asia Pacific, only users in Australia have been targeted, along with Android users in Russia elsewhere in the world. Importantly, of the seven bank apps Xbot seen to imitate, six belong to some of the most popular banks in Australia.

While this malware does not appear to be widespread, Palo Alto Networks researchers observed the author making regular updates and improvements indicating that this malware could soon threaten Android users across the world.

Apart from stealing banking and credit card details, this malware can also remotely lock infected Android devices. It can encrypt the user’s files in external storage such as SD cards and demand a US$100 PayPal cash card as ransom. In addition, Xbot can also steal all SMS messages and contact information, intercept certain SMS messages, and analyse SMS messages for mTANs (mobile transaction authentication numbers) from banks.

Xbot primarily uses a popular attack technique called activity hijacking by abusing some features in Android. It is important to note that the apps Xbot mimics are not themselves being exploited. Starting with Android 5.0, Google adopted a protection mechanism to mitigate this attack but other attack approaches used by Xbot are still affecting all versions of Android. Xbot was implemented in a flexible architecture that could be easily extended to target more Android apps.

While Android users running version 5.0 or later are so far protected from some of Xbot’s malicious behaviours, all users are vulnerable to at least some of its capabilities. As the creator appears to be putting considerable time and effort into making this Trojan more complex and harder to detect, it’s likely that its ability to infect users and remain hidden will only grow, and that the attacker will expand its target base to other regions around the world.

Palo Alto Networks recommends using preventive security measures that automatically detect unknown malware and generate protection sets before an enterprise or device is compromised.  Customers can also refer to IPS signature (13997) for details about Xbot C2 traffic information. 


Read the blog post about XBot from Palo Alto Networks

posted from Bloggeroid