A newly discovered Android trojan mimics the Google Play Store payment interface to phish for users’ credit card details. Dubbed the Xbot trojan by the team at Palo Alto Networks in California, the trojan is also capable of mimicking the login pages for different banks, remotely encrypting an infected phone with ransomware, and intercepting text messages. Xbot appears to be in the early stages of development but its complexity and myriad capabilities mean you may be hearing more about it in the coming year. 

Six of the banks targeted by the trojan at this juncture are Australian but Xbot is adaptable. As the researchers “observed the author making regular updates and improvements, this malware could soon threaten Android users around the world.” This focus on phishing credit card and banking login details makes it similar to the recently reported SlemBunk trojan which is also designed to steal credentials from mobile banking users. SlemBunk is also international in scope, actively harvests user credentials, and is in the process of evolving. So far Xbot’s scope appears to be Android users in Russia and Australia.

Both trojans are designed to lay dormant on a user’s smartphone until they open a banking application. At that point, the malware recognizes that a banking application has been launched and launches its own customized interface made to look like the original app. Such custom phishing interfaces are designed to appear as close to the legitimate banking app as possible. The attack technique is called “activity hijacking.”

It performs a similar phishing attack when the Google Play store application is opened. Users are prompted to register for the Play Store by providing their credit card information, even if they have already entered it into the legitimate Play Store. The information it asks for includes the credit card number, expiration date, CVV number, card holder’s name, billing address, phone number and the VBV (Verified by Visa) or McSec (MasterCard SecureCode) numbers.

Not only does Xbot collect the affected users’ text messages but also parses the text for mTANs (Mobile Transaction Authentication Number) from banks. Currently this ability is limited but as mentioned earlier, the malware author(s) have built an adaptable trojan that can expand its scope to other regions, languages, and banks. Some of Xbot’s features will only affect users with Android 5.0 phones or below but all users are vulnerable to at least some of its malicious capabilities.