Cerberus out, Alien malware in – there is a new and dangerous Android banking trojan in the wild

Alien malware is a newly discovered banking trojan with an advanced ability to bypass two-factor authentication (2FA). There is more than 200 mobile apps imitated by this new threat including Bank of America and Microsoft Outlook. More about the Alien malware you can find below.

New Alien malware can steal passwords from 226 Android apps

Security researchers have discovered and analyzed a new strain of Android malware that comes with a wide array of features allowing it to steal credentials from 226 applications.

Named Alien, this new trojan has been active since the start of the year and has been offered as a Malware-as-a-Service (MaaS) offering on underground hacking forums. According to researchers from ThreatFabric, Alien is not truly a new piece of code but was actually based on the source code of a rival malware gang named Cerberus. But is way more advanced than his “father”. 

Alien is part of a new generation of Android banking trojans that have also integrated remote-access features into their codebases. It shows fake login screens and collects passwords for various apps and services, but it can also grant the hackers access to devices to use said credentials or even perform other actions.

Alien boasts the following capabilities:
  • Can overlay content on top of other apps (a feature used for phishing login credentials)
  • Log keyboard input
  • Provide remote access to a device after installing a TeamViewer instance
  • Harvest, send, or forward SMS messages and forward calls
  • Steal contacts list, collect device details, geo-location data, and app lists
  • Make USSD requests
  • Install and start other apps
  • Lock the screen for a ransomware-like feature
  • Sniff notifications showed on the device
  • Steal 2FA codes generated by authenticator apps

Researchers said they found that Alien had support for showing fake login pages for 226 other Android applications – e-banking apps, email, social, instant messaging, and cryptocurrency apps. Including Gmail, Facebook, Twitter, Snapchat, WhatsApp, etc. Most of the banking apps targeted by Alien developers were for financial institutions based mostly in Spain, Turkey, Germany, the US, Italy, France, Poland, Australia, and the UK.

Researchers didn’t include details about how Alien makes its way onto users’ devices, primarily because this varies based on how the Alien MaaS customers (other criminal groups) chose to distribute it. We know about phishing sites recommending downloading fake software updates or Corona apps and SMS. How to stay safe? Well better don’t install apps from shady sites and grant them admin rights.


Unsecured Microsoft Bing server leaks 6,5TB of data

An unsecured database has exposed sensitive data for users of Microsoft’s Bing search engine mobile application – including their location coordinates, search terms in clear text, and more. 

While no personal information, like names, were exposed, researchers with Wizcase argued that enough data was available that it would be possible to link these search queries and locations to user identities — giving bad actors information ripe for blackmail attacks, phishing scams, and more.

The data was related to the mobile-app version of Microsoft Bing, housed in a 6.5 terabyte (TB) server owned by Microsoft, believed to contain 13 billion records. The server was exposed online from September 10 to September 16. 

The researchers noted that there have been more than 10 million downloads of the Bing app on Google Play alone, with millions of mobile searches performed daily. Anyone who has made a Bing search with the mobile app while the server has been exposed is at risk. Researchers noticed records of people searching from over 70 countries. 

They also claim that between Sept. 10 through Sept. 12, and on Sept. 14, the server was targeted by a “Meow attack” that deleted nearly the entire database.

In addition to the Meow hackers, this data was potentially exposed to other types of hackers and scammers, which could lead to a variety of blackmailing and phishing attacks against users of the Bing mobile app.  The exposure of location data could also open victims up to physical attacks or robberies, researchers said.


AgeLocker ransomware targets QNAP NAS devices now and steals data

The group behind the AgeLocker ransomware has been targeting publicly exposed QNAP NAS devices and encrypting their files since the end of August 2020. This is an ongoing worldwide campaign.

Few words about AgeLocker. The ransomware utilizes an encryption algorithm called Age (Actually Good Encryption) designed to replace GPG for encrypting files, backups, and streams. When encrypting files, it prepends a text header to the encrypted data that starts with the URL ‘age-encryption.org’. Hackers also leave behind a ransom note named HOW_TO_RESTORE_FILES.txt that tells the victim that their QNAP device was specifically targeted in the attack.

Unfortunately, a malware has infected your QNAP and a large number of your files have been encrypted using a hybrid encryption scheme.

The attackers state they first stole unencrypted files that contain “medical data, scans, backups, etc.”

Not much information is shared about these attacks. It is unknown how much attackers are demanding as a ransom or how they are gaining access to the QNAP devices. Unfortunately, there is no way to recover files encrypted by AgeLocker for free.

But by following these steps you can secure your device and protect your company against this and future attacks.

First, make sure you are running the latest firmware and vulnerabilities have been patched: Next:

  1. Change all passwords for all accounts on the device.
  2. Remove unknown user accounts from the device.
  3. Make sure the device firmware is up-to-date, and all of the applications are also updated.
  4. Remove unknown or unused applications from the device.
  5. Set an access control list for the device.
  6. Deploy a fully configurable backup solution that can keep your data safe – and more importantly, your backup copies out of the ransomware reach.


Hacker super-group involved in bomb threats, ransomware, and SIM swapping has been shut down by the Polish police

Polish authorities have shut down a hacker super-group that has been involved in ransomware attacks, malware distribution, SIM swapping, banking fraud, running fake online stores, and even making bomb threats at the behest of paying customers.

Four suspects were arrested this week and four more are under investigation.

The hackers have been under investigation since May 2019, when they sent a first bomb threat. During the investigation, police discovered that an individual named Lukasz K. found the hackers on internet forums and hired them to send a bomb threat to the local school, but make the email look like it came from a rival business partner. The man whose identity was spoofed in the email was arrested and spent two days in prison before police figured out what happened. When the framed businessman was released out of jail, he hired a private investigator to track down the culprits behind the fake bomb alert. When the hackers realized what was happening, they then hacked a Polish mobile operator and generated invoices for thousands of zlotys (the Polish currency) in the name of both the detective and the framed businessman.

The biggest case connected to the group took place on June 26 and 27, 2019, when they were hired to send bomb threats to 1,066 kindergartens across Poland.

Many ways to achieve one goal…

But this wasn’t the group’s only method of income. The hackers distributed also malware – Cerberus, Anubis, Danabot, Netwire, Emotet, and njRAT – via email phishing attacks – the group was linked to 87 different domains used to distribute malware. 

Hackers stole from infected users personal details, which they’d use to steal money from banks with weak security next. In case some banks had implemented multiple authentication mechanisms, the group would then use the information they stole from infected victims to order fake IDs from the dark web, and then use the IDs to trick mobile operators into transferring the victim’s account to a new SIM card. Using this SIM card, the hackers would then reset passwords for the victim’s online accounts or bypass two-factor authentication (2FA) to steal money from victims.

The group was able to steal 199,000, 220,000 and 243,000 zlotys ($50,000, $56,000, and $62,000) in three separate incidents using this technique. The next attempt – worth 7.9 million zlotys ($2 million) was less fortunate. 

The group also created 50 fake online stores where they sold nonexistent products to defraud more than 10,000 buyers.

Europol in a press release suggested that hackers most likely made victims outside Poland as well.


Do you have thirst for knowledge? There is ten more cybersecurity stories below

1. Instagram bug allowed crashing the app via image sent to device (Bleeping Computer)
2. Cisco Patch-Palooza Tackles 29 High-Severity Bugs (Threat Post)
3. New ransomware actor OldGremlin uses custom malware to hit top orgs (Bleeping Computer)
4. Google Chrome Bugs Open Browsers to Attack (Threat Post)
5. CISA’s advisory warns of notable increase in LokiBot malware (Security Affairs)
6. German investigators blame Russian DoppelPaymer gang for deadly hospital attack (Security Affairs)
7. Google Cloud Buckets Exposed in Rampant Misconfiguration (Threat Post)
8. Microsoft Says Hackers Actively Targeting Zerologon Vulnerability (SecurityWeek)
9 The Windows XP source code was allegedly leaked online (Bleeping Computer)
10. SMS phishing scam pretends to be Apple “chatbot” – don’t fall for it! (Naked Security)