Security researchers have discovered a new banking trojan targeting Android devices called Red Alert 2.0 that’s being sold on the dark web and has begun hitting Android-powered smartphones and tablets.
The malicious attack, discovered by researchers at SfyLabs, has been spreading through Russian-speaking hacking forums since spring and has started to appear in third-party app stores that offer an unregulated marketplace for people to download apps beyond the offerings in Google’s official app store.
According to SfyLabs, the attack has been spotted in the while and is communicated with command and control servers that allow the malicious tool to steal information from victims who download infected apps.
Red Alert operates similarly to previous banking trojans that have targeted Android devices, though it’s a new and growing threat in the mobile marketplace and presents a significant threats to users who may have valuable personal information and login credentials stolen.
The attack operates in a clever and essentially undetectable attack that waits to launch when a victim opens up a banking or social media app. Once it detects the launch, it layers an HTML-based overlay on top of the original app that informs the user there was an error logging them in and requesting them to re authenticate their account.
When the user enters their username and password on the touch screen keyboard, it is recorded by the Red Alert trojan’s overlay and transmitted to the command and control server to be used by the threat actors to hijack the account.
The trojan is also sophisticated enough to work around two-factor authentication techniques that would otherwise stifle attackers. Red Alert 2.0 can intercept text messages received by the infected phone, allowing the attackers to enter the secondary code sent to users who have the extra layer of protection.
The attackers behind Red Alert 2.0 have apparently used the stolen credentials to post spam and other malicious links through the hijacked social media accounts, ostensibly to help spread the attack to others who make the mistake of clicking on the links. Of course, the information could also be used for much more damaging attacks, including draining a victim’s bank account.
Red Alert 2.0 has been spotted for sale online for as little as $500 and development of the trojan is reportedly very active and ongoing, as the creators continue to update the product and add new features that make it even more of a threat to potential victims.
The most recent changelog posted on the forums selling the malicious service say the trojan was recently updated to include the ability to block incoming phone calls from numbers associated with banks and financial institutions, effectively allowing Red Alert to prevent any sort of warning of a compromised account to be received by the victim.
Red Alert can currently operate on Android versions up to and including 6.0 and has over 60 overlays targeting social media and banking applications.
Users can avoid the attack by downloading apps from the Google Play Store, Google’s official marketplace for Android apps and media, as the attack has not be detected within the search giant’s walled garden yet. That doesn’t mean it won’t eventually make it there—attacks have slipped by before—but it is almost always safer than third-party marketplaces.