New Android Malware Combines Ransomware with a Banking Trojan

Share this…

Android Xbot will be a dangerous threat if ever completed. Malware targeting Android devices is slowly evolving day by day and is starting to rival its desktop-based counterpart. One of the most complex threats targeting the Android ecosystem is Xbot, a newly discovered Android malware that is a combination between a banking trojan, an infostealer, and ransomware.

According to security researchers from Palo Alto Networks, Xbot seems to be a second-generation threat evolved from the Aulrin Android trojan, spotted first in 2014.

While Aulrin was coded in Lua and the .NET framework, this time around, Xbot’s developer wrote the malware’s code relying more on JavaScript (through Mozilla’s Rhino framework).

Until now, security researchers claim to have seen 22 different Android apps that came infected with the Xbot malware, all of which are distributed from the developer’s own servers, and not through Google Play. Palo Alto is claiming that Xbot seems to be in a testing phase, and not actively spread through more active distribution channels.

Xbot – the banking trojan

In its most recent version, Xbot’s banking trojan component only targets seven banks, six of whichs are well-known Australian banks. But don’t let this fool you. Researchers say that based on the domains used to distribute the malware, and code comments in earlier versions, Xbot’s author seems to be of Russian origin.

Xbot’s banking trojan component is also not that intrusive, relying on simple Web injection packages, which appear to be interchangeable, meaning it could target any country if the developer wished to.

Besides stealing credentials for banking portals, Xbot also pays a lot of attention to getting the user’s credit card details via a phishing page made to look like the Google Play payment page.

This phishing page is triggered via an activity hijacking technique, which is ineffective on devices running Android 5.0 and higher.

Xbot – the ransomware

As most malware these days, Xbot will talk to a C&C (command and control) server. Once the C&C server manages to get all the banking details it wants, it can instruct Xbot to lock and/or encrypt the user’s files.

The ransomware component is quite complex, and Xbot will not only go after the phone’s internal storage, but it will also lock external SD cards as well.

Fortunately, the encryption algorithm is extremely weak, and most users will be able to decrypt their files with the help of a cryptography expert. The encryption algorithm is XOR on each byte in all files by a fixed integer number (50).

For the ransomware component to work perfectly, the app infested with Xbot will need to require admin privileges when the user installs it. These privileges are used to lock the user’s screen, encrypt files and power the banking trojan’s phishing abilities, so users should avoid giving admin rights to side-loaded applications.

Xbot – the infostealer

And just in case Xbot wasn’t dangerous enough, the malware can also steal personal information as well, which is uploaded to Xbot’s C&C server, were it’s being processed in real-time or stored for later use.

In the most recent version, Palo Alto researchers say they’ve seen Xbot collecting data such as the phone’s contact list and SMS messages, with the latter being gathered to harvest confirmation codes for premium numbers or 2FA services.

Since Palo Alto claims Xbot is still in its infancy, most users won’t probably be looking forward to seeing this threat in a mature, stable, and fully-featured version.