Android Banking Trojan Xbot Doubles as Ransomware

A new Android malware Trojan that snoops for online banking credentials can also encrypt the Android device’s files in exchange for ransom, researchers have discovered.

The malware, called Xbot, has been discovered by researchers at security firm Palo Alto Networks. Although not widespread just yet, it has been found targeting devices in Australia and Russia so far.

In a blog post, the researchers believe that the malware authors behind Xbot are actively trying to expand its targets beyond the two countries.

The researchers wrote:

As the author appears to be putting considerable time and effort into making this Trojan more complex and harder to detect, it’s likely that its ability to infect users and remain hidden will only grow, and that the attacker will expand its target base to other regions around the world.

The malware operates by means of a technique called ‘activity hijacking.’ Here, attacks are carried out with the intention of stealing online banking credentials and personal details. The method allows the malware to secretively launch a different feature or command when the targeted user launches an application. Fundamentally, the user is in the dark, unaware that they’re triggering or using the malicious program.

The activity hijacking appears to take advantage of features in older versions of Anrdoid, those prior to 5.0, researchers confirm. Significantly, Google’s security upgrades in its mobile operating system means that only older devices that haven’t been updated to newer version of androids are affected.

Ransomware Trojan

Ransomware seems to be everywhere, affecting every platform these days. Xbot has the capability to infect the device by encrypting files on the device’s external storage, with the infamous CryptoLocker. The ransomware encrypts files before asking for a payment. Once the extortion is successful, a decryption key is typically provided to the Android user. However, the chosen mode of payment here is via a spoofed PayPal site that seeks $100, instead of the usual ransomware payment method that involves the digital currency Bitcoin.

The security researchers discovered that the encryption algorithm used to take over the files is weak, which means it would be possible to recover the files without having to pay the ransom.

Xbot also has capabilities wherein the Trojan-ransomware can canvass the Android device for contacts, SMSes, phone numbers and more before sending it back to the attackers.

Image credit: Pexels.