Red Alert banking malware steals credentials
Red Alert banking malware steals credentials

According to a blog post by SyfLabs, Red Alert 2.0 can steal the credentials of victims as well as their contacts. The malware also takes over SMS functions and blocks all calls associated with banks and financial associations.

Researchers said that the malware features other functions that have not been seen in other Android banking trojans. It was also written from scratch, they said, rather than being an evolution from “leaked sources of older Trojans”.

“Another interesting vector is the use of Twitter to avoid losing bots when the C2 server is taken offline (NTD). When the bot fails to connect to the hardcoded C2 it will retrieve a new C2 from a Twitter account. This is something we have seen in the desktop banking malware world before, but the first time we see it happening in an Android banking trojan,” said researchers.

When opening an application that is targeted by Red Alert an overlay is shown to the user. When the user tries to log in they are greeted with an error page. The credentials themselves are then sent to the C2 server.

“To determine when to show the overlay and which overlay to show, the topmost application is requested periodically. For Android 5.0 and higher, the malware uses Android toolbox, which is different from the implementation used by other Android trojans such as Mazar, Exobot and Bankbot,” said researchers.

The malware managed to infiltrate several third-party app stores with fake apps, such as messengers, image tools and flash players.

Researchers said that attacks like this one are becoming more prevalent on mobile devices. 

“The shift of malware campaigns from desktop (Windows) to mobile (Android) seems largely related to the fact that these days most transactions are initiated from mobile devices instead of the desktop. This motivates actors to invest in developing solutions that target Android and have the same capabilities as the malware variants that have been evolving on the desktop for years,” they said.

Chris Hodson, EMEA CISO at Zscaler, told SC Media UK that while Trojan techniques continue to evolve, the underlying vector is almost always some form of social engineering.

“In the case of Red Alert 2.0, social engineering is coming via an Android banking application. Security professionals, now more than ever, have a duty of care to educate users,” he said.

“Business policies need to restrict the downloading of applications from anywhere other than trusted app stores. The majority of Android malware is still delivered from third-party app stores. In the case of Red Alert 2.0, once installed, the options for revoking the malware's rights are limited. For example, the Alert actors are seen to be regularly blocking incoming calls of banks which can have a detrimental effect on the process of a fraud operation.”

Matthias Straub, director consulting Germany & Austria at NTT Security,told SC Media UK that while Red Alert 2.0 introduces some dangerous new features, like blocking phone calls and attacking a large number of different banks, all these features are only relevant after but not before the infection with this trojan.

“The infection with Red Alert 2.0 still needs to happen “conventionally” by actively installing the Trojan from a third party app store or other source. So following best practice procedures around Android security will also prevent an infection of Red Alert 2.0,” he said.

Helen Davenport, director at Gowling WLG, told SC Media UK that the recommended steps to defend against cyber-attacks include keeping an organisation's security patches up to date, using proper antivirus protection and backing up the data that matters. “It is also crucial to put employee digital security training in place, as people sometimes can be the weakest link in an organisation's cyber-security measures,” she said.