Xbot Banking Trojan for Android steals bank login info
by Nikola Strahija on February 20th, 2016 Miscreants have created a new attack designed to steal banking credentials and CC information using phishing pages crafted to look like Google Play's payment interface.
In addition to Google Play payment interface, Xbot trojan mimics app login pages for seven different banks, six of which are for Australian bank. According to a report published by Palo Alto Networks, Xbot was implemented in a flexible architecture that could be easily extended to target more Android apps - or banks.
Palo Alto Networks' research team, Unit42, discovered 22 Android apps that belong to the new Xbot Trojan family and which bundle ransomware and spyware functionality. The trojan can also remotely lock infected Android devices and encrypt the files on the SD card, finishing with a request to buy a US $100 Paypal cash card as ransom. Even that's not all - Xbot will also steal all contact info, intercept and parse SMS messages for mTANS (Mobile Transaction Authentication Number) from banks - a standard two-factor authentication mechanism.
Fortunately, this malware is not yet widespread and currently it looks like the miscreants are testing their attacks on users in Russia and Australia only. This may soon change.