The wham-bam-thank-you-maam of all Trojans has been discovered

The wham-bam-thank-you-maam of all Trojans has been discovered by security researchers at Palo Alto that asks for ransom for encrypted files, steals personal info, passwords, online banking credentials and credit card details, and then sells it on as well.

The Trojan in question is Xbot which has been found to mimic 22 different Android apps. Palo Alto believes it has been developed from an older Android Trojan named Aulrin, and it says the Trojans may even have the same author as they have similar code structures and behaviours and share some files.

They are largely unsure on how Xbot spreads, but once it is active, it contacts a server for its next instructions. The researchers said, “When certain commands are received it will launch phishing attacks at users of Google Play and certain Australian bank apps. We observed three different phishing approaches and one use of activity hijacking.”

If Xbot has been authorised as a device administrator and is ordered to do so by the command server, it will switch the phone to silent mode, reset its password, display a ransom note (webpage via WebView), and make it so that it can't be easily removed from the screen.

Luckily, it does so by simply XORing each byte in all files by the fixed integer number 50. That means that the malware's claims that the files can't be decrypted without paying the ransom and receiving the decryption key are not true.

The researchers concluded: “While Android users running version 5.0 or later are so far protected from some of Xbot's malicious behaviours, all users are vulnerable to at least some of its capabilities. 

"As the author appears to be putting considerable time and effort into making this Trojan more complex and harder to detect, it's likely that its ability to infect users and remain hidden will only grow, and that the attacker will expand its target base to other regions around the world."