PhishLabs is monitoring the increasing number of mobile applications targeted by the relatively new Alien Mobile Banking Trojan. Alien, a fork of Cerberus, continues to evade Google’s malware detection and is targeting a broad spectrum of both financial and non-financial apps. So far, Alien has been connected with 87 new brands previously not targeted by Cerberus.
Cerberus versus Alien Brands Targeted
Prior to its decline, Cerberus operators dominated the mobile malware landscape both in functionality and attacks. Cerberus was a malware-as-a-service (MaaS) and targeted 139 known brands during its life.
Since January 2020, Alien has been observed targeting 226 different brands. Alien’s high volume of targets may be attributed to its adoption by a growing number of threat actors eager to take advantage of desirable enhancements that increase the success of executing fraud. It also uses a MaaS approach with built-in features that can achieve a wide range of objectives.
Specifically, Alien has capabilities not previously seen with Cerberus, such as the ability to install and navigate Android’s TeamViewer. Using TeamViewer gives the operator full remote control access to the infected device, as well as the ability to change device settings, interact with applications, and monitor user behavior.
Alien authors have also incorporated a notification sniffer that allows access to all new updates on infected devices. This includes the ability to steal tokens from Google’s Authenticator application, enabling actors to bypass two-factor authentication security measures.
Alien does possess the features originally associated with Cerberus, including keylogging, SMS harvesting, and dynamic overlays.
Financial Institutions versus Non-Financials Targeted by Alien
Notably, we continue to observe Alien being used to target an increasing number of non-financial institutions compared to other mobile and desktop malware. This approach boosts the effectiveness of Alien distribution by taking advantage of how individuals may be less vigilant when interacting with non-financial applications not…