Unit42 recently discovered 22 Android apps that belong to a new Trojan family we’re calling “Xbot”.
This Trojan, which is still under development and regularly updated, is already capable of multiple malicious behaviors. It tries to steal victims’ banking credentials and credit card information via phishing pages crafted to mimic Google Play’s payment interface as well as the login pages of 7 different banks’ apps.
It can also remotely lock infected Android devices, encrypt th
e user’s files in external storage (e.g., SD card), and then ask for a U.S. $100 PayPal cash card as ransom. In addition, Xbot will steal all SMS messages and contact information, intercept certain SMS
messages, and parse SMS messages for mTANs (Mobile Transaction Authentication Number) from banks.