Name | Alienbot |
Additional Names | AlienBot Banker, Alien |
Type of Malware | Banking Trojan |
Location – Country of Origin | Mexico |
Date of initial activity | 2018 |
Motivation | Steal sensitive information such as login credentials, credit card numbers, bank account information |
Attack Vectors | Infected apps on the Google Play Store Phishing emails Malware-infected websites Drive-by downloads |
Targeted System | Android devices |
Overview
AlienBot is a banking Trojan for Android, sold underground as Malware-as-a-Service (MaaS). It supports keylogging, dynamic overlays for credentials theft, as well as SMS harvesting for 2FA bypass. Additional remote control capabilities are provided using a TeamViewer module.
Targets
Financial institutions based mostly in Spain, Turkey, Germany, the US, Italy, France, Poland, Australia, and the UK.
Tools/ Techniques Used
Associated tools: open source applications (e.g., BeatPlayer, Cake VPN, Call-Recorder, eVPN, Music Player, Pacific VPN, QRecorder, QR/Barcode Scanner MAX) on Google Play store. / The AlienBot malware family is a Malware-as-a-Service (MaaS) for Android devices that allows a remote attacker, at a first step, to inject malicious code into legitimate financial applications. The attacker obtains access to victims’ accounts, and eventually completely controls their device. Upon taking control of a device, the attacker has the ability to control certain functions just as if he was holding the device physically, like installing a new application on the device, or even control it with TeamViewer.