Security researchers from SfyLabs have discovered a new Android trojan called “Red Alert 2.0” that has been created and distributed over the past several months by a new threat actor. The capabilities of the malware are similar to those of other Android banking Trojans, such as the use of overlays to steal login credentials, or SMS control and contact list harvesting.
The Red Alert trojan has many new features to ensure that it still effective. The malware can block and log incoming calls of banks, which could affect the process of fraud operation departments at financials that are calling victims on their infected smartphone about a possible malicious activity.
The trojan also uses Twitter to evade losing bots when the C2 server is taken offline. If the bot fails to connect to the hardcoded C2 it will recover a new C2 from a Twitter account. We have noticed this feature before in the desktop banking trojans, but it’s the first time to see it occurring in an Android trojan.
According to SfyLabs:
“The shift of malware campaigns from desktop (Windows) to mobile (Android) seems largely related to the fact that these days most transactions are initiated from mobile devices instead of the desktop. This motivates actors to invest in developing solutions that target Android and have the same capabilities as the malware variants that have been evolving on the desktop for years. “