This article is more than 1 year old

Android Xbot trojan poses as banking app, nicks your login creds

A Swiss Army knife for mobile ne'er do wells

Miscreants have crafted a new attack designed to steal banking credentials and credit card information via phishing pages crafted to mimic Google Play’s payment interface.

The so-called Xbot trojan also weaves its malicious spell by presenting victims with login pages of seven different banks’ apps, six of which relate to Australian banks.

Security researchers at Palo Alto Networks’ research team, Unit42, have discovered 22 Android apps that belong to a new Xbot Trojan family which also bundles ransomware and spyware functionality.

It [the Xbot trojan] can also remotely lock infected Android devices, encrypt the user’s files in external storage (e.g., SD card), and then ask for a US $100 PayPal cash card as ransom.

In addition, Xbot will steal all SMS messages and contact information, intercept certain SMS messages, and parse SMS messages for mTANs (Mobile Transaction Authentication Number) from banks.

Fortunately the powerful malware is not yet widespread. Android users in Russia and Australia are been targeted so far but this might easily be changed by the unidentified crooks behind the scam.

“Xbot was implemented in a flexible architecture that could be easily extended to target more Android apps,” Palo Alto warns.

A full write-up of the threat - complete with screenshots and code analysis - can be found in a blog post by Palo Alto here. ®

More about


Send us news

Other stories you might like