A new Android threat called Alien Malware or Alien RAT, which appears to have ties to the Cerberus banking malware, has been seen stealing credentials from a target list of around 226 mobile applications. Many of these mobile applications included those for banks around the world such as BBVA Spain and Bank of America. Alien is being sold on criminal forums by a threat actor known as “-ring0-“ using an account that has only posted about 24 times over the past year. The capabilities of this RAT are quite powerful—it has the ability to get around two-factor authentication (2FA) by stealing codes from Google Authenticator and intercepting text messages, and also it can take advantage of the TeamViewer application to completely take over the infected device. Its complete list of features shows the Alien has the ability to carry out 24 functions. When attempting to differentiate between Cerberus and Alien, researchers discovered Alien was implemented separately and used different endpoints. A complete list of the targets and some of the samples seen in the wild can be found here: https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html
While the actions of the Alien authors are quite unpredictable at this point, it can be assumed that they will continue to attempt to improve the malware. Banks need to make sure their online banking channels are locked down making it more difficult for actors to deploy malware that attacks their mobile applications. Although many people do not use it, effective antivirus apps are available for Android devices. A strong approach to security is to not install potentially risky apps on the same mobile device that is used for online banking and generating 2FA codes. With proper detection and control efforts in place it will make it for difficult for actors to bypass security measures.