According to researchers at Trustwave, the source code of the Red Alert 2.0 Android Trojan is now available for rent on cybercrime underground forums at $500 per month.
The experts discovered the latest variant because received a malicious apk via mail and analyzed it.
“It all started with a spam message, which curiously had an Android App attachment. The spam email vaguely claims that the attachment was a dating app for finding anonymous sex-acquaintances called SilverBox.” reads the analysis published by Trustwave.
“We Googled some of the strings from the decompiled source code and found this bot was known as RED ALERT v2.0 BOT and is being rented out for at least $200 for 7 days test usage, $500 for a month and up to $999 for 2 months.”
The Red Alert 2.0 Android Trojan was being distributed through spam messages, the detection rate at the time of analysis was 25 out of 59 of the VirusTotal anti-virus solutions.
The Red Alert 2.0 Android banking malware was developed from scratch and has been offered for rent via many online hacking forums. The authors of the malware are continuously updating it, adding new features.
The malware implements a broad range of stealing abilities, it is capable to exfiltrate information from the infected mobile devices, such as contact details and SMS messages. The malware is able to block calls from banks and it implements a backup C&C mechanism through bots via Twitter.
C&C communications are via HTTP POST requests to a specific UR, in case the C&C is not available, the malicious code receives instructions from the operator through a Twitter message.
The malware also displays an overlay on the top of legitimate apps, at the time of its first discovery experts observed around 60 HTML overlays for banking apps.
According to the Trustwave, the authors have expanded this capability and currently the Red Alert 2.0 Android Trojan is able to target more than 120 banks in Australia, Austria, Canada, Czech Republic, Poland, Denmark, Germany, France, Lithuania, India, Italy, Ireland, Japan, New Zeeland, Romania, Spain, Sweden, Turkey, United Kingdom, and the United States.
The authors’ adv also claims that the malware is able to target popular payment systems (PayPal, Airbnb, Coinbase, Poker Stars, Neteller, Skrill, and Unocoin Bitcoin Wallet India) and CC+VBV Grabbers (Amazon, eBay, LINE, GetTaxi, Snapchat, Viber, Instagram, Facebook, Skype, UBER, WeChat, and WhatsApp) too.
Red Alert 2.0 is able to intercept and send SMS messages, launch APKs and inject HTML, this latter feature could be customized on demand. The author claims to produce new updates every two weeks.
The malware uses a number of services to handle it life cycle and keep it running at all times, some of them are:
- WatchDogService: sets timers to ensure that malware is running periodically.
- ControlService: registers the device bot, as well as starting up the ReadCommandThread: waits for instructions from the C&C server
- Ensures that device is connected to the C&C server
- BootReceiver: ensures all functionality is up and running when machineis rebooted. This boot receiver ensures that the watchdog service is run every 10 secs or 30 secs depending on the version of the OS.
- SmsReceiver: intercepts SMS messages.
The Red Alert 2.0 also includes a UI module used to request for permissions from the victims and to overlay some templates received from the C&C server on top of other apps.
Below a video published by the researchers that shows the malware in action:
Are you curious?
Well, you can rent the malware starting at $200 for 7 days, $500 for a month, or $999 for 2 months.
Let’s close with a consideration, the method to spread an Android malware via spam messages is not effective and it is rare to see crooks spreading malicious Android apps in this way as confirmed by the experts.
“To wrap-up, we had fun reverse engineering this Android malware and learned a lot. It was interesting to see APK malware being spammed via email, but we wonder how effective the strategy really is for the bad guys.” concludes Trustwave.
“The malware required the user to OK to install, and Android pops up plenty of warnings about permissions. Also, Google Play Protect was detecting this threat, so in order to get the malware installed on Androidwe also had to disable Play Protect. We haven’t seen any more samples being spammed, so perhaps the email campaign was not so successful after all.”