There is an Alien looking to steal your Crypto!

in #hive-17457829 days ago (edited)

And no, its not @acidyo or @derangedvisions from the OCD community, although them guys are weird, right? This is a new trojan is affecting Android users and the Coinbase, blockchain.com and luno wallets. The trojan is based on the Cerburus trojan from some years back. Google play store was almost free of infected apps, mainly because the group behind it pretty much deserted it when Google discoverd a way to track infected apps, but the trojan has seen new life in recent weeks after its been picked up by a new group and its spreading. There are 226 apps that are currently affected. This particular trojan has the ability to intercept 2fa codes and passwords in transit. This is a dangerous trojan. I would strongly advise anyone using an android device to keep your eyes peeled and uninstall any unused or questionable apps from your devices.

fantasy-2847724_1280.jpg

This first came to my attention a couple of weeks ago when @hetty-rowan hit me up on discord to say she had a lot of weird things happening in her coinbase wallet. Her account had been compromised and she had 2fa enabled. The attacker was able to convert some of her coins to BTC but thankfully they were unable to withdraw the funds from her account as she had the email feature also enabled.

FYI: Hetty does not know the answer to your questions!! There are apps listed below, read the list and if you have an affected app, remove it.

Currently, according to ThreatFabric, Alien boasts the following capabilities:

  • Can overlay content on top of other apps (feature used for phishing login credentials)
  • Log keyboard input
  • Provide remote access to a device after installing a TeamViewer instance
  • Harvest, send, or forward SMS messages
  • Steal contacts list
  • Collect device details and app lists
  • Collect geo-location data
  • Make USSD requests
  • Forward calls
  • Install and start other apps
  • Start browsers on desired pages
  • Lock the screen for a ransomware-like feature
  • Sniff notifications showed on the device
  • Steal 2FA codes generated by authentication apps

SRC:

Apps and specific package names for that are infected are listed below.

Package nameApp name
com.coinbase.androidCoinbase – Buy & Sell Bitcoin. Crypto Wallet
piuk.blockchain.androidBlockchain Wallet. Bitcoin, Bitcoin Cash, Ethereum
com.bbva.bbvacontigoBBVA Spain
com.bankinter.launcherBankinter Móvil
es.bancosantander.appsSantander
es.univia.unicajamovilUnicajaMovil
es.cm.androidBankia
es.evobanco.bancamovilEVO Banco móvil
com.kutxabank.androidKutxabank
com.rsiruralvía
com.akbank.android.apps.akbank_direktAkbank
com.garanti.cepsubesiGaranti BBVA Mobile
com.finansbank.mobile.cepsubeQNB Finansbank Mobile Banking
com.connectivityapps.hotmailConnect for Hotmail & Outlook: Mail and Calendar
com.tebCEPTETEB
com.ykb.androidYapı Kredi Mobile
finansbank.enparaEnpara.com Cep Şubesi
com.tmobtech.halkbankHalkbank Mobil
com.kuveytturk.mobilKuveyt Türk
com.ziraat.ziraatmobilZiraat Mobile
com.pozitron.iscepİşCep - Mobile Banking
com.vakifbank.mobileVakıfBank Mobil Bankacılık
es.ibercaja.ibercajaappIbercaja
com.abnamro.nl.mobile.paymentsABN AMRO Mobiel Bankieren
pl.pkobp.ikoIKO
pl.mbankmBank PL
pe.com.interbank.mobilebankingInterbank APP
jp.co.rakuten_bank.rakutenbank楽天銀行 -個人のお客様向けアプリ
com.sbi.sbifreedomplus-
it.copergmps.rt.pf.android.sp.bmpsBanca MPS
com.google.android.gmGmail
com.mail.mobile.android.mailmail.com mail
it.bnl.apps.bankingBNL
it.ingdirect.appING Italia
com.yahoo.mobile.client.android.mailYahoo Mail – Organized Email
com.db.mm.norisbanknorisbank App
com.db.pbc.miabancaLa Mia Banca
eu.unicreditgroup.hvbapptanHVB Mobile Banking
de.commerzbanking.mobilCommerzbank Banking - The app at your side
de.fiducia.smartphone.android.banking.vrVR Banking Classic
de.postbank.finanzassistentPostbank Finanzassistent
com.targo_prod.badTARGOBANK Mobile Banking
de.comdirect.androidcomdirect mobile App
de.dkb.portalappDKB-Banking
com.starfinanz.smob.android.sfinanzstatusSparkasse Ihre mobile Filiale
de.consorsbankConsorsbank
com.finanteq.finance.caCA24 Mobile
com.boursorama.android.clientsBoursorama Banque
com.caisseepargne.android.mobilebankingBanque
com.cm_prod.badCrédit Mutuel
com.ingdirectandroid-
fr.lcl.android.customerareaMes Comptes - LCL
fr.banquepopulaire.cyberplusBanque Populaire
fr.creditagricole.androidappMa Banque
mobi.societegenerale.mobile.lappliL'Appli Société Générale
au.com.nab.mobileNAB Mobile Banking
com.cibc.android.mobiCIBC Mobile Banking®
com.grppl.android.shell.cmblloydstsb73-
com.grppl.android.shell.halifaxHalifax: the banking app that gives you extra
org.stgeorge.bankSt.George Mobile Banking
com.att.mywireless-
com.chase.sig.androidChase Mobile
com.clairmail.fthFifth Third Mobile Banking
com.csam.icici.bank.imobileiMobile by ICICI Bank
com.unicreditMobile Banking UniCredit
it.popso.scrignoapp-
com.microsoft.office.outlookMicrosoft Outlook: Organize Your Email & Calendar
com.infonow.bofaBank of America Mobile Banking
com.konylabs.capitaloneCapital One® Mobile
com.suntrust.mobilebankingSunTrust Mobile App
com.usaa.mobile.android.usaaUSAA Mobile
com.usbank.mobilebankingU.S. Bank - Inspired by customers
com.wf.wellsfargomobileWells Fargo Mobile
com.bmo.mobileBMO Mobile Banking
it.nogood.containerUBI Banca
com.rbc.mobile.androidRBC Mobile
com.latuabancaperandroidIntesa Sanpaolo Mobile
com.ingbanktr.ingmobilING Mobil
com.magiclick.odeabankOdeabank
posteitaliane.posteapp.apppostepayPostepay
tr.com.sekerbilisim.mbankŞEKER MOBİL ŞUBE
com.commbank.netbankCommBank
com.android.vendingGoogle Play
es.liberbank.cajasturappBanca Digital Liberbank
www.ingdirect.nativeframeING España. Banca Móvil
com.cajasur.androidCajasur
com.tecnocom.cajalaboralBanca Móvil Laboral Kutxa
com.db.pbc.mibancoMi Banco db
net.inverline.bancosabadell.officelocator.androidBanco Sabadell App. Your mobile bank
com.bbva.netcashBBVA Net Cash ES & PT
es.bancosantander.empresasSantander Empresas
com.paypal.android.p2pmobilePayPal Mobile Cash: Send and Request Money Fast
pl.bzwbk.bzwbk24Santander mobile
es.caixageral.caixageralappBanco Caixa Geral España
alior.bankingapp.androidUsługi Bankowe
eu.eleader.mobilebanking.pekaoPekao24Makler
eu.eleader.mobilebanking.pekao.firmPekaoBiznes24
com.facebook.katanaFacebook
com.imaginbank.appimaginBank - Your mobile bank
com.whatsappWhatsApp Messenger
com.snapchat.androidSnapchat
com.twitter.androidTwitter
org.telegram.messengerTelegram
com.instagram.androidInstagram
com.viber.voipViber Messenger - Messages, Group Chats & Calls
es.lacaixa.mobile.android.newwapiconCaixaBank
softax.pekao.powerpayPeoPay
com.ebay.mobileeBay: Buy, sell, and save money on home essentials
com.amazon.mshop.android.shopping-
com.getingroup.mobilebankingGetin Mobile
wit.android.bcpbankingapp.millenniumpl-
com.konylabs.cbplpatCiti Handlowy
es.caixagalicia.activamovilABANCA- Banca Móvil
com.moneybookers.skrillpayments.netellerNETELLER - fast, secure and global money transfers
com.pcfinancial.mobileSimplii Financial
com.tdTD Canada
cz.csob.smartbankingČSOB Smartbanking
com.airbitzBitcoin Wallet - Airbitz
clientapp.swiftcom.orgePayments: wallet & bank card
de.number26.androidN26 — The Mobile Bank
au.com.ingdirect.androidING Australia Banking
com.payoneer.androidPayoneer – Global Payments Platform for Businesses
com.cimbmalaysiaCIMB Clicks Malaysia
eu.eleader.mobilebanking.investplusbank24
com.moneybookers.skrillpaymentsSkrill - Fast, secure online payments
com.mycelium.walletMycelium Bitcoin Wallet
uk.co.santander.santanderuk-
com.aff.otpdirektOTP SmartBank
com.kasikorn.retail.mbanking.wapK PLUS
com.krungsri.kmaKMA
com.scb.phoneSCB EASY
com.netflix.mediaclientNetflix
com.bendigobank.mobileBendigo Bank
com.citibank.citibankmy-
com.konylabs.hongleongconnect-
org.banksa.bankBankSA Mobile Banking
org.bom.bankBank of Melbourne Mobile Banking
at.volksbank.volksbankmobileVolksbank hausbanking
net.bnpparibas.mescomptesMes Comptes BNP Paribas
com.ocito.cdn.activity.creditdunordCrédit du Nord pour Mobile
pl.bphBusinessPro Lite
pt.bancobpi.mobile.fiabilizacaoBPI APP
pt.novobanco.nbappNB smart app
pt.santandertotta.mobileparticularesSantander Particulares
com.bankofqueensland.boqBOQ Mobile
fr.laposte.lapostemobileLa Poste - Services Postaux
com.cic_prod.badCIC
com.fortuneo.androidFortuneo, mes comptes banque & bourse en ligne
nz.co.asb.asbmobileASB Mobile Banking
pl.bzwbk.ibiznes24iBiznes24 mobile
pl.millennium.corpapp-
net.garagecoders.e_llavescotiainfoScotiaMóvil
com.credemmobile-
it.carigeCarige Mobile
eu.inmite.prj.kb.mobilbankMobilni Banka
jp.co.netbk住信SBIネット銀行
au.com.cua.mbCUA Mobile Banking
com.advantage.raiffeisenbank-
com.bankaustria.android.olbBank Austria MobileBanking
com.barclays.android.barclaysmobilebankingBarclays
com.bochk.comBOCHK
com.htsu.hsbcpersonalbankingHSBC Mobile Banking
com.anz.android.gomoneyANZ Australia
com.bankia.walletBankia Wallet
com.fusion.bankingBank Australia app
com.fusion.beyondbankBeyond Bank Australia
com.greater.greater-
com.bancsabadell.walletSabadell Wallet
es.bancosantander.walletSantander Wallet
com.fullsix.android.labanquepostale.accountaccessLa Banque Postale
com.cajamar.cajamar-
wit.android.bcpbankingapp.millennium-
enterprise.com.anz.shieldANZ Shield
com.fibabanka.mobileFibabanka Corporate Mobile
com.mobileloft.alpha.droidmyAlpha Mobile
mbanking.nbg-
com.eurobankefg-
es.bancopopular.nbmpopularPopular
ktbcs.netbankKrungthai NEXT
com.bbva.bbvawalletBBVA Wallet Spain. Mobile Payment
com.bancomer.mbankingBBVA México (Bancomer Móvil)
ar.com.santander.rio.mbankingSantander Argentina
com.mercadolibreMercado Libre: compra fácil y rápido
es.santander.moneySantander Money Plan
com.dhanlaxmi.dhansmart.mtcDhanlaxmi Bank Mobile Banking
com.infrasofttech.centralbank-
com.infrasofttech.mahabank-
com.msf.kbank.mobileKotak - 811 & Mobile Banking
com.sbi.sbanywherecorporate-
com.snapwork.hdfcHDFC Bank MobileBanking
com.samba.mbSambaMobile
eu.netinfo.colpatria.systemScotiabank Colpatria
com.todo1.mobileBancolombia App Personas
org.westpac.bankWestpac Mobile Banking
au.com.suncorp.suncorpbank-
au.com.pnbank.androidP&N BANKING APP
com.ing.mobileING Bankieren
com.tfkbTürkiye Finans Mobile Branch
finansbank.enpara.sirketim Enpara.comŞirketim Cep Şubesi
com.google.android.play.gamesGoogle Play Games
com.icomvision.bsc.tbcTBC Bank
com.citi.citimobileCiti Mobile®
com.tdbankTD Bank (US)
com.unionbank.ecommerce.mobile.androidUnion Bank Mobile Banking
com.comarch.security.mobilebankingING Business
de.sdvrz.ihb.mobile.secureapp.sparda.produktionSpardaSecureApp
au.com.bankwest.mobileBankwest
com.hsbc.hsbcnetHSBCnet Mobile
com.nearform.ptsb permanent tsb
org.banking.bom.businessconnectBank of Melbourne Business App
org.banking.bsa.businessconnectBankSA Business App
org.banking.stg.businessconnectSt.George Business App
org.westpac.colWestpac Corporate Mobile
ca.bnc.androidNational Bank of Canada
ca.servus.mbankingServus Mobile Banking
co.bitx.android.walletLuno: Buy Bitcoin, Ethereum and Cryptocurrency
com.acceltree.mtc.screensAlawwal Mobile
enbd.mobilebankingEmirates NBD
lt.spectrofinance.spectrocoin.android.walletBitcoin Wallet by SpectroCoin
com.skype.raiderSkype - free IM & video calls
com.barclaycardusBarclays US
com.grppl.android.shell.bos-
com.rbs.mobile.android.natwestNatWest Mobile Banking
com.rbs.mobile.android.rbsRoyal Bank of Scotland Mobile Banking
tsb.mobilebankingTSB Bank Mobile Banking
net.inverline.bancosabadell.officelocator.activobankActivoBank

Src:

As you can see there is a massive number of affected apps so be super careful with what you are doing and I would strongly advise everyone reading this to audit your apps and if you don't need it, bin it!

Top image Src:

Sort:  

I never touch droids, ever since the Jawa sold me a bum one. Looks like this is a case for Mulder and Scully - the truth is out there.

Haha, so many innuendos! Mad skills yo!

@hetty-rowan did her job, BTW

TY moon-unit and Hettie!

🙄😋

The word has to go out as much as possible

Very very useful ... and thank you for checking all of this out. Now going to reblog your post and check my phone out once again. Maybe also worth to mention that malwarebytes for android didn't find this trojan on my phone. So if it happened to me because of the trojan, than you can't trust on malwarebytes. Unfortunately

😟

I believe that would be more that the malwarebytes signatures wouldn't have the signature included in its new updates. I would imagine we will see updates from the likes of malwarebytes and also we'll see Google scanning the play store too.

I hope to see the updates soon because it's really not a fun thing to have it happening. And luckily they weren't able to steal from me this time, but still rather not go through that once again ...

Yes let's hope Google will be alert soon too.

That is a very scary list!!!! Thanks for letting us know.

Post upvoted and reblogged @moonunit. I still don't see what can be done, other than simply don't use the effected apps, so if you have or come up with more insight about that, please share

Thank you @jerrysuseer I try to keep myself up to date on new attacks. When they involve the crypto space I do all I can to get the word out to as many as possible.

I copied most of the details of your post, used it as the basis of a msg I sent to the two banks that I use, Wells Fargo, and USAA that I was concerned about this new virus.

WF replied that they had checked and there was no virus in their system.

I thank you for the heads up, and I've warned my friends to beware of it as well.

Thank you @moonunit

That is great that they responded to you but they should't have been scanning their system. The issue is not with them specifically, rather with the infrastructure its running on I.E. Android. The compromised app once installed is logging information that should be secured in a TEE (trusted execution envirnoment) which is a secure part of the CPU on your device. This would be best practice for android devices but they may not use it due to lazy devs etc. Apple do not use TEE on their devices, they use TAP (trusted application protocol I believe) just as an FYI.

I haven't seen the detail on where the malware is picking up the information, I.E. if its in a TEE but I highly doubt it. I would say that it is monitoring transactions like device to server etc.

Whenever there is a buck to be made by scamming people are going to do it, it's why decentralisation and education and healthy scepticism and distrust of systems are important. Getting into crypto means taking responsibility in many ways people may not be ready for

Posted Using LeoFinance Beta

Yes, very true. Scammers be scamming. It is on the users to keep themselves safe. I do what I can to try to raise awareness. Thanks for checking it out.

No, Thank you. I am glad you read through and I hope it helps you to avoid being caught up in any way.

I have an Android, and looked through and saw some apps I had THOUGHT about downloading, but never did ... it was near enough, and it is good to know what to avoid -- thank YOU!

Thanks for this great info!

No problem at all. I do what I can to help when I can.

Thank you for the heads-up and warning!

No problem, Just trying to spread the word as much as possible. We are all crypto folk here.