New ‘Alien’ malware can steal passwords from 226 Android apps

New ‘Alien’ malware can steal passwords from 226 Android apps

Security researchers have discovered and analyzed a new strain of Android malware that comes with a wide array of features allowing it to steal credentials from 226 applications.

Named Alien, this new trojan has been active since the start of the year and has been offered as a Malware-as-a-Service (MaaS) offering on underground hacking forums.

In a report shared this week with ZDNet, security researchers from ThreatFabric dug deep into forum posts and Alien samples to understand the malware’s evolution, tricks, and features.


According to researchers, Alien is not truly a new piece of code but was actually based on the source code of a rival malware gang named Cerberus.

Cerberus, while an active MaaS last year, fizzled out this year, with its owner trying to sell its codebase and customerbase, before eventually leaking it for free.

ThreatFabric says Cerberus died out because Google’s security team found a way to detect and clean infected devices. But even if Alien was based on an older Cerberus version, Alien doesn’t seem to have this problem, and its MaaS stepped in to fill the void left by Cerberus’ demise.

And researchers say that Alien is even more advanced than Cerberus, a reputable and dangerous trojan in its own right.


ThreatFabric says Alien is part of a new generation of Android banking trojans that have also integrated remote-access features into their codebases.

This makes Alien a dangerous concoction to get infected with. Not only can Alien show fake login screens and collect passwords for various apps and services, but it can also grant the hackers access to devices to use said credentials or even perform other actions.

Currently, according to ThreatFabric, Alien boasts the following capabilities:

  • Can overlay content on top of other apps (feature used for phishing login credentials)
  • Log keyboard input
  • Provide remote access to a device after installing a TeamViewer instance
  • Harvest, send, or forward SMS messages
  • Steal contacts list
  • Collect device details and app lists
  • Collect geo-location data
  • Make USSD requests
  • Forward calls
  • Install and start other apps
  • Start browsers on desired pages
  • Lock the screen for a ransomware-like feature
  • Sniff notifications showed on the device
  • Steal 2FA codes generated by authenticator apps

That’s quite an impressive array of features. ThreatFabric says these are mostly used for fraud-related operations, as most Android trojans tend to be these days, with the hackers targeting online accounts, searching for money.

During its analysis, researchers said they found that Alien had support for showing fake login pages for 226 other Android applications (full list in the ThreatFabric report).

Most of these fake login pages were aimed at intercepting credentials for e-banking apps, clearly supporting its assessment that Alien was intended for fraud.

However, Alien targeted other apps as well, such as email, social, instant messaging, and cryptocurrency apps (i.e., Gmail, Facebook, Telegram, Twitter, Snapchat, WhatsApp, etc.).

Most of the banking apps targeted by Alien developers were for financial institutions based mostly in Spain, Turkey, Germany, the US, Italy, France, Poland, Australia, and the UK…Read more>>