There is an Alien looking to steal your Crypto!

in #hive-17457829 days ago (edited)

And no, its not @acidyo or @derangedvisions from the OCD community, although them guys are weird, right? This is a new trojan is affecting Android users and the Coinbase, and luno wallets. The trojan is based on the Cerburus trojan from some years back. Google play store was almost free of infected apps, mainly because the group behind it pretty much deserted it when Google discoverd a way to track infected apps, but the trojan has seen new life in recent weeks after its been picked up by a new group and its spreading. There are 226 apps that are currently affected. This particular trojan has the ability to intercept 2fa codes and passwords in transit. This is a dangerous trojan. I would strongly advise anyone using an android device to keep your eyes peeled and uninstall any unused or questionable apps from your devices.


This first came to my attention a couple of weeks ago when @hetty-rowan hit me up on discord to say she had a lot of weird things happening in her coinbase wallet. Her account had been compromised and she had 2fa enabled. The attacker was able to convert some of her coins to BTC but thankfully they were unable to withdraw the funds from her account as she had the email feature also enabled.

FYI: Hetty does not know the answer to your questions!! There are apps listed below, read the list and if you have an affected app, remove it.

Currently, according to ThreatFabric, Alien boasts the following capabilities:

  • Can overlay content on top of other apps (feature used for phishing login credentials)
  • Log keyboard input
  • Provide remote access to a device after installing a TeamViewer instance
  • Harvest, send, or forward SMS messages
  • Steal contacts list
  • Collect device details and app lists
  • Collect geo-location data
  • Make USSD requests
  • Forward calls
  • Install and start other apps
  • Start browsers on desired pages
  • Lock the screen for a ransomware-like feature
  • Sniff notifications showed on the device
  • Steal 2FA codes generated by authentication apps


Apps and specific package names for that are infected are listed below.

Package nameApp name
com.coinbase.androidCoinbase – Buy & Sell Bitcoin. Crypto Wallet
piuk.blockchain.androidBlockchain Wallet. Bitcoin, Bitcoin Cash, Ethereum Spain
com.bankinter.launcherBankinter Móvil
es.evobanco.bancamovilEVO Banco móvil
com.garanti.cepsubesiGaranti BBVA Mobile Finansbank Mobile Banking
com.connectivityapps.hotmailConnect for Hotmail & Outlook: Mail and Calendar
com.ykb.androidYapı Kredi Mobile Cep Şubesi
com.tmobtech.halkbankHalkbank Mobil
com.kuveytturk.mobilKuveyt Türk
com.ziraat.ziraatmobilZiraat Mobile
com.pozitron.iscepİşCep - Mobile Banking
com.vakifbank.mobileVakıfBank Mobil Bankacılık
es.ibercaja.ibercajaappIbercaja AMRO Mobiel Bankieren
pl.mbankmBank PL APP楽天銀行 -個人のお客様向けアプリ MPS mail
it.ingdirect.appING Italia Mail – Organized Email App
com.db.pbc.miabancaLa Mia Banca
eu.unicreditgroup.hvbapptanHVB Mobile Banking
de.commerzbanking.mobilCommerzbank Banking - The app at your side Banking Classic
de.postbank.finanzassistentPostbank Finanzassistent
com.targo_prod.badTARGOBANK Mobile Banking
de.comdirect.androidcomdirect mobile App
de.dkb.portalappDKB-Banking Ihre mobile Filiale
de.consorsbankConsorsbank Mobile Banque
com.cm_prod.badCrédit Mutuel
com.ingdirectandroid- Comptes - LCL
fr.banquepopulaire.cyberplusBanque Populaire
fr.creditagricole.androidappMa Banque'Appli Société Générale Mobile Banking Mobile Banking® the banking app that gives you extra
org.stgeorge.bankSt.George Mobile Banking
com.att.mywireless- Mobile
com.clairmail.fthFifth Third Mobile Banking by ICICI Bank
com.unicreditMobile Banking UniCredit
it.popso.scrignoapp- Outlook: Organize Your Email & Calendar
com.infonow.bofaBank of America Mobile Banking
com.konylabs.capitaloneCapital One® Mobile
com.suntrust.mobilebankingSunTrust Mobile App Mobile
com.usbank.mobilebankingU.S. Bank - Inspired by customers Fargo Mobile
com.bmo.mobileBMO Mobile Banking
it.nogood.containerUBI Banca Mobile
com.latuabancaperandroidIntesa Sanpaolo Mobile
com.ingbanktr.ingmobilING Mobil
posteitaliane.posteapp.apppostepayPostepayŞEKER MOBİL ŞUBE Play
es.liberbank.cajasturappBanca Digital Liberbank
www.ingdirect.nativeframeING España. Banca Móvil
com.tecnocom.cajalaboralBanca Móvil Laboral Kutxa
com.db.pbc.mibancoMi Banco db
net.inverline.bancosabadell.officelocator.androidBanco Sabadell App. Your mobile bank Net Cash ES & PT
es.bancosantander.empresasSantander Empresas Mobile Cash: Send and Request Money Fast
pl.bzwbk.bzwbk24Santander mobile
es.caixageral.caixageralappBanco Caixa Geral España
alior.bankingapp.androidUsługi Bankowe
com.imaginbank.appimaginBank - Your mobile bank
com.whatsappWhatsApp Messenger
com.viber.voipViber Messenger - Messages, Group Chats & Calls
com.ebay.mobileeBay: Buy, sell, and save money on home essentials
com.getingroup.mobilebankingGetin Mobile
com.konylabs.cbplpatCiti Handlowy
es.caixagalicia.activamovilABANCA- Banca Móvil
com.moneybookers.skrillpayments.netellerNETELLER - fast, secure and global money transfers
com.pcfinancial.mobileSimplii Financial
com.tdTD Canada
cz.csob.smartbankingČSOB Smartbanking
com.airbitzBitcoin Wallet - Airbitz
clientapp.swiftcom.orgePayments: wallet & bank card
de.number26.androidN26 — The Mobile Bank Australia Banking
com.payoneer.androidPayoneer – Global Payments Platform for Businesses
com.cimbmalaysiaCIMB Clicks Malaysia
com.moneybookers.skrillpaymentsSkrill - Fast, secure online payments
com.mycelium.walletMycelium Bitcoin Wallet
com.aff.otpdirektOTP SmartBank
com.kasikorn.retail.mbanking.wapK PLUS
com.krungsri.kmaKMA EASY
com.bendigobank.mobileBendigo Bank
org.banksa.bankBankSA Mobile Banking of Melbourne Mobile Banking
at.volksbank.volksbankmobileVolksbank hausbanking Comptes BNP Paribas
com.ocito.cdn.activity.creditdunordCrédit du Nord pour Mobile
pl.bphBusinessPro Lite APP
pt.novobanco.nbappNB smart app
pt.santandertotta.mobileparticularesSantander Particulares
com.bankofqueensland.boqBOQ Mobile
fr.laposte.lapostemobileLa Poste - Services Postaux
com.fortuneo.androidFortuneo, mes comptes banque & bourse en ligne Mobile Banking
pl.bzwbk.ibiznes24iBiznes24 mobile
it.carigeCarige Mobile
eu.inmite.prj.kb.mobilbankMobilni Banka住信SBIネット銀行 Mobile Banking
com.advantage.raiffeisenbank- Austria MobileBanking
com.htsu.hsbcpersonalbankingHSBC Mobile Banking Australia
com.bankia.walletBankia Wallet
com.fusion.bankingBank Australia app
com.fusion.beyondbankBeyond Bank Australia
com.bancsabadell.walletSabadell Wallet
es.bancosantander.walletSantander Wallet Banque Postale
com.cajamar.cajamar- Shield
com.fibabanka.mobileFibabanka Corporate Mobile
com.mobileloft.alpha.droidmyAlpha Mobile
ktbcs.netbankKrungthai NEXT Wallet Spain. Mobile Payment
com.bancomer.mbankingBBVA México (Bancomer Móvil) Argentina
com.mercadolibreMercado Libre: compra fácil y rápido
es.santander.moneySantander Money Plan
com.dhanlaxmi.dhansmart.mtcDhanlaxmi Bank Mobile Banking
com.msf.kbank.mobileKotak - 811 & Mobile Banking
com.snapwork.hdfcHDFC Bank MobileBanking
eu.netinfo.colpatria.systemScotiabank Colpatria
com.todo1.mobileBancolombia App Personas
org.westpac.bankWestpac Mobile Banking BANKING APP Bankieren
com.tfkbTürkiye Finans Mobile Branch
finansbank.enpara.sirketim Enpara.comŞirketim Cep Şubesi Play Games
com.icomvision.bsc.tbcTBC Bank Mobile®
com.tdbankTD Bank (US) Bank Mobile Banking Business Mobile
com.nearform.ptsb permanent tsb of Melbourne Business App
org.banking.bsa.businessconnectBankSA Business App
org.banking.stg.businessconnectSt.George Business App
org.westpac.colWestpac Corporate Mobile
ca.bnc.androidNational Bank of Canada
ca.servus.mbankingServus Mobile Banking Buy Bitcoin, Ethereum and Cryptocurrency
com.acceltree.mtc.screensAlawwal Mobile
enbd.mobilebankingEmirates NBD Wallet by SpectroCoin - free IM & video calls
com.barclaycardusBarclays US Mobile Banking Bank of Scotland Mobile Banking
tsb.mobilebankingTSB Bank Mobile Banking


As you can see there is a massive number of affected apps so be super careful with what you are doing and I would strongly advise everyone reading this to audit your apps and if you don't need it, bin it!

Top image Src:


I never touch droids, ever since the Jawa sold me a bum one. Looks like this is a case for Mulder and Scully - the truth is out there.

Haha, so many innuendos! Mad skills yo!

@hetty-rowan did her job, BTW

TY moon-unit and Hettie!


The word has to go out as much as possible

Very very useful ... and thank you for checking all of this out. Now going to reblog your post and check my phone out once again. Maybe also worth to mention that malwarebytes for android didn't find this trojan on my phone. So if it happened to me because of the trojan, than you can't trust on malwarebytes. Unfortunately


I believe that would be more that the malwarebytes signatures wouldn't have the signature included in its new updates. I would imagine we will see updates from the likes of malwarebytes and also we'll see Google scanning the play store too.

I hope to see the updates soon because it's really not a fun thing to have it happening. And luckily they weren't able to steal from me this time, but still rather not go through that once again ...

Yes let's hope Google will be alert soon too.

That is a very scary list!!!! Thanks for letting us know.

Post upvoted and reblogged @moonunit. I still don't see what can be done, other than simply don't use the effected apps, so if you have or come up with more insight about that, please share

Thank you @jerrysuseer I try to keep myself up to date on new attacks. When they involve the crypto space I do all I can to get the word out to as many as possible.

I copied most of the details of your post, used it as the basis of a msg I sent to the two banks that I use, Wells Fargo, and USAA that I was concerned about this new virus.

WF replied that they had checked and there was no virus in their system.

I thank you for the heads up, and I've warned my friends to beware of it as well.

Thank you @moonunit

That is great that they responded to you but they should't have been scanning their system. The issue is not with them specifically, rather with the infrastructure its running on I.E. Android. The compromised app once installed is logging information that should be secured in a TEE (trusted execution envirnoment) which is a secure part of the CPU on your device. This would be best practice for android devices but they may not use it due to lazy devs etc. Apple do not use TEE on their devices, they use TAP (trusted application protocol I believe) just as an FYI.

I haven't seen the detail on where the malware is picking up the information, I.E. if its in a TEE but I highly doubt it. I would say that it is monitoring transactions like device to server etc.

Whenever there is a buck to be made by scamming people are going to do it, it's why decentralisation and education and healthy scepticism and distrust of systems are important. Getting into crypto means taking responsibility in many ways people may not be ready for

Posted Using LeoFinance Beta

Yes, very true. Scammers be scamming. It is on the users to keep themselves safe. I do what I can to try to raise awareness. Thanks for checking it out.

No, Thank you. I am glad you read through and I hope it helps you to avoid being caught up in any way.

I have an Android, and looked through and saw some apps I had THOUGHT about downloading, but never did ... it was near enough, and it is good to know what to avoid -- thank YOU!

Thanks for this great info!

No problem at all. I do what I can to help when I can.

Thank you for the heads-up and warning!

No problem, Just trying to spread the word as much as possible. We are all crypto folk here.