|Additional Names||AlienBot Banker, Alien|
|Type of Malware||Banking Trojan|
|Location – Country of Origin||Mexico|
|Date of initial activity||2018|
|Motivation||Steal sensitive information such as login credentials, credit card numbers, bank account information|
|Attack Vectors||Infected apps on the Google Play Store Phishing emails Malware-infected websites Drive-by downloads|
|Targeted System||Android devices|
AlienBot is a banking Trojan for Android, sold underground as Malware-as-a-Service (MaaS). It supports keylogging, dynamic overlays for credentials theft, as well as SMS harvesting for 2FA bypass. Additional remote control capabilities are provided using a TeamViewer module.
Financial institutions based mostly in Spain, Turkey, Germany, the US, Italy, France, Poland, Australia, and the UK.
Tools/ Techniques Used
Associated tools: open source applications (e.g., BeatPlayer, Cake VPN, Call-Recorder, eVPN, Music Player, Pacific VPN, QRecorder, QR/Barcode Scanner MAX) on Google Play store. / The AlienBot malware family is a Malware-as-a-Service (MaaS) for Android devices that allows a remote attacker, at a first step, to inject malicious code into legitimate financial applications. The attacker obtains access to victims’ accounts, and eventually completely controls their device. Upon taking control of a device, the attacker has the ability to control certain functions just as if he was holding the device physically, like installing a new application on the device, or even control it with TeamViewer.