New Android Trojan ‘Xbot’ phishes credit cards and bank accounts, encrypts devices for ransom

Palo Alto Networks has recently discovered 22 Android apps belonging to a new Trojan family called ‘Xbot’. This Android Trojan is regularly updated and is already capable of multiple malicious behaviors.

Xbot tries to steal victims’ banking credentials and credit card details information via phishing pages crafted to mimic Google Play’s payment interface as well as the login pages of seven different banks’ apps. So far, in Asia-Pacific, only users in Australia have been targeted, along with Android users in Russia, elsewhere in the world. Importantly, of the seven bank apps Xbot seen to imitate, six belong to some of the most popular banks in Australia. While this malware doesn’t appear to be widespread yet, Palo Alto Networks researchers observed the author making regular updates and improvements indicating that this malware could soon threaten Android users across the world.

Apart from stealing victims banking and credit card details, this malware can also remotely lock infected Android devices. It can encrypt the user’s files in external storage such as SD cards and demand for U.S $100 PayPal cash card as ransom. In addition, Xbot can also steal all SMS messages and contact information, intercept certain SMS messages, and analyse SMS messages for mTANs (Mobile Transaction Authentication Numbers) from banks.

Xbot primarily uses a popular attack technique called “activity hijacking” by abusing some features in Android. It is important to note that the apps Xbot mimics are not themselves being exploited. Starting with Android 5.0, Google adopted a protection mechanism to mitigate this attack but other attack approaches used by Xbot are still affecting all versions of Android. Xbot was implemented in a flexible architecture that could be easily extended to target more Android apps.

While Android users running version 5.0 or later are so far protected from some of Xbot’s malicious behaviors, all users are vulnerable to at least some of its capabilities. As the creator appears to be putting considerable time and effort into making this Trojan more complex and harder to detect, it’s likely that its ability to infect users and remain hidden will only grow, and that the attacker will expand its target base to other regions around the world.

The team at Palo Alto Networks will continue to watch and report on this threat as the attacker introduces new versions but also re-emphasized that the banking apps imitated by Xbot are not themselves being exploited.

Palo Alto Networks recommends using preventive security measures that automatically detect unknown malware and generate protection sets before an enterprise or device is compromised.  Customers can also refer to IPS signature (13997) for details about Xbot C2 traffic information.