Beware Android Users! “Xbot” Trojan is stealing Banking Credentials!

The security researchers at Palo Alto Networks, found a new Trojan in Android Devices. The name of this Trojan is Xbot and this is capable to steal all the sensitive data from your device. This Trojan is not widely spread yet but it is targeting the devices in Russia and Australia. This Trojan can steal online banking login credentials of users. It is a ransomware which can hold file hostage of any device. The criminals behind this Trojan are very clever and they are spreading it very quickly to target maximum devices.

This Trojan has been coded by expert programmers, because coding used by them in this Trojan is very complex and difficult to detect. This Trojan first infect the users and then hide itself into file system of device. Xbot Trojan is capable to steal online banking login credentials and sensitive information of user by using “activity hijacking” technique. Criminals behind this Trojan are using C&C (Command and Control) servers to control it. When user tries to open any application, Xbot launch a different type of action at same time. User do not know about this process. He only knows that he is using an application. This Trojan can harm all those devices which are using an out dated version of android.

How it works?

Xbot Trojan has functionality to recognize financial apps. When user launch any application, this Trojan monitor that application. If it is a banking app or any other financial app, it will do it work and will steal all the sensitive information entered by user. The coding used by its author is very complex, due to which it can easily recognize the working architecture of any application. When Xbot recognized any banking app, it creates an interface between that device and control server. After that Xbot sends all the gathered information to the control server. In simple words, it works like an agent which steals all the sensitive information from device and passed it to the control server.

Authors of this Trojan are using fake interfaces to steal information from users. They are using same type of interfaces, which are used by the famous banks of Australia and Russia. When users fill their user name, password and credit card details into form, it directly goes to Control and Command server. Users think, they are submitting credentials to bank servers but it is not happening in actual. Researchers at Palo Alto have also detect six fake interfaces used by criminals.

This Xbot is also a ransomware. Criminals behind this can target people by creating a WebView interface. Criminals are using a well-known ransomware program CryptoLocker. First they encrypt all the files of device and then demand for US$100 for its decryption key. Criminals are using a specially designed spoofed PayPal site to receive money from victims.

Source: CIO blog