And no, its not @acidyo or @derangedvisions from the OCD community, although them guys are weird, right? This is a new trojan is affecting Android users and the Coinbase, blockchain.com and luno wallets. The trojan is based on the Cerburus trojan from some years back. Google play store was almost free of infected apps, mainly because the group behind it pretty much deserted it when Google discoverd a way to track infected apps, but the trojan has seen new life in recent weeks after its been picked up by a new group and its spreading. There are 226 apps that are currently affected. This particular trojan has the ability to intercept 2fa codes and passwords in transit. This is a dangerous trojan. I would strongly advise anyone using an android device to keep your eyes peeled and uninstall any unused or questionable apps from your devices.
This first came to my attention a couple of weeks ago when @hetty-rowan hit me up on discord to say she had a lot of weird things happening in her coinbase wallet. Her account had been compromised and she had 2fa enabled. The attacker was able to convert some of her coins to BTC but thankfully they were unable to withdraw the funds from her account as she had the email feature also enabled.
FYI: Hetty does not know the answer to your questions!! There are apps listed below, read the list and if you have an affected app, remove it.
Currently, according to ThreatFabric, Alien boasts the following capabilities:
- Can overlay content on top of other apps (feature used for phishing login credentials)
- Log keyboard input
- Provide remote access to a device after installing a TeamViewer instance
- Harvest, send, or forward SMS messages
- Steal contacts list
- Collect device details and app lists
- Collect geo-location data
- Make USSD requests
- Forward calls
- Install and start other apps
- Start browsers on desired pages
- Lock the screen for a ransomware-like feature
- Sniff notifications showed on the device
- Steal 2FA codes generated by authentication apps
Apps and specific package names for that are infected are listed below.
| Package name | App name |
|---|---|
| com.coinbase.android | Coinbase – Buy & Sell Bitcoin. Crypto Wallet |
| piuk.blockchain.android | Blockchain Wallet. Bitcoin, Bitcoin Cash, Ethereum |
| com.bbva.bbvacontigo | BBVA Spain |
| com.bankinter.launcher | Bankinter Móvil |
| es.bancosantander.apps | Santander |
| es.univia.unicajamovil | UnicajaMovil |
| es.cm.android | Bankia |
| es.evobanco.bancamovil | EVO Banco móvil |
| com.kutxabank.android | Kutxabank |
| com.rsi | ruralvía |
| com.akbank.android.apps.akbank_direkt | Akbank |
| com.garanti.cepsubesi | Garanti BBVA Mobile |
| com.finansbank.mobile.cepsube | QNB Finansbank Mobile Banking |
| com.connectivityapps.hotmail | Connect for Hotmail & Outlook: Mail and Calendar |
| com.teb | CEPTETEB |
| com.ykb.android | Yapı Kredi Mobile |
| finansbank.enpara | Enpara.com Cep Şubesi |
| com.tmobtech.halkbank | Halkbank Mobil |
| com.kuveytturk.mobil | Kuveyt Türk |
| com.ziraat.ziraatmobil | Ziraat Mobile |
| com.pozitron.iscep | İşCep - Mobile Banking |
| com.vakifbank.mobile | VakıfBank Mobil Bankacılık |
| es.ibercaja.ibercajaapp | Ibercaja |
| com.abnamro.nl.mobile.payments | ABN AMRO Mobiel Bankieren |
| pl.pkobp.iko | IKO |
| pl.mbank | mBank PL |
| pe.com.interbank.mobilebanking | Interbank APP |
| jp.co.rakuten_bank.rakutenbank | 楽天銀行 -個人のお客様向けアプリ |
| com.sbi.sbifreedomplus | - |
| it.copergmps.rt.pf.android.sp.bmps | Banca MPS |
| com.google.android.gm | Gmail |
| com.mail.mobile.android.mail | mail.com mail |
| it.bnl.apps.banking | BNL |
| it.ingdirect.app | ING Italia |
| com.yahoo.mobile.client.android.mail | Yahoo Mail – Organized Email |
| com.db.mm.norisbank | norisbank App |
| com.db.pbc.miabanca | La Mia Banca |
| eu.unicreditgroup.hvbapptan | HVB Mobile Banking |
| de.commerzbanking.mobil | Commerzbank Banking - The app at your side |
| de.fiducia.smartphone.android.banking.vr | VR Banking Classic |
| de.postbank.finanzassistent | Postbank Finanzassistent |
| com.targo_prod.bad | TARGOBANK Mobile Banking |
| de.comdirect.android | comdirect mobile App |
| de.dkb.portalapp | DKB-Banking |
| com.starfinanz.smob.android.sfinanzstatus | Sparkasse Ihre mobile Filiale |
| de.consorsbank | Consorsbank |
| com.finanteq.finance.ca | CA24 Mobile |
| com.boursorama.android.clients | Boursorama Banque |
| com.caisseepargne.android.mobilebanking | Banque |
| com.cm_prod.bad | Crédit Mutuel |
| com.ingdirectandroid | - |
| fr.lcl.android.customerarea | Mes Comptes - LCL |
| fr.banquepopulaire.cyberplus | Banque Populaire |
| fr.creditagricole.androidapp | Ma Banque |
| mobi.societegenerale.mobile.lappli | L'Appli Société Générale |
| au.com.nab.mobile | NAB Mobile Banking |
| com.cibc.android.mobi | CIBC Mobile Banking® |
| com.grppl.android.shell.cmblloydstsb73 | - |
| com.grppl.android.shell.halifax | Halifax: the banking app that gives you extra |
| org.stgeorge.bank | St.George Mobile Banking |
| com.att.mywireless | - |
| com.chase.sig.android | Chase Mobile |
| com.clairmail.fth | Fifth Third Mobile Banking |
| com.csam.icici.bank.imobile | iMobile by ICICI Bank |
| com.unicredit | Mobile Banking UniCredit |
| it.popso.scrignoapp | - |
| com.microsoft.office.outlook | Microsoft Outlook: Organize Your Email & Calendar |
| com.infonow.bofa | Bank of America Mobile Banking |
| com.konylabs.capitalone | Capital One® Mobile |
| com.suntrust.mobilebanking | SunTrust Mobile App |
| com.usaa.mobile.android.usaa | USAA Mobile |
| com.usbank.mobilebanking | U.S. Bank - Inspired by customers |
| com.wf.wellsfargomobile | Wells Fargo Mobile |
| com.bmo.mobile | BMO Mobile Banking |
| it.nogood.container | UBI Banca |
| com.rbc.mobile.android | RBC Mobile |
| com.latuabancaperandroid | Intesa Sanpaolo Mobile |
| com.ingbanktr.ingmobil | ING Mobil |
| com.magiclick.odeabank | Odeabank |
| posteitaliane.posteapp.apppostepay | Postepay |
| tr.com.sekerbilisim.mbank | ŞEKER MOBİL ŞUBE |
| com.commbank.netbank | CommBank |
| com.android.vending | Google Play |
| es.liberbank.cajasturapp | Banca Digital Liberbank |
| www.ingdirect.nativeframe | ING España. Banca Móvil |
| com.cajasur.android | Cajasur |
| com.tecnocom.cajalaboral | Banca Móvil Laboral Kutxa |
| com.db.pbc.mibanco | Mi Banco db |
| net.inverline.bancosabadell.officelocator.android | Banco Sabadell App. Your mobile bank |
| com.bbva.netcash | BBVA Net Cash ES & PT |
| es.bancosantander.empresas | Santander Empresas |
| com.paypal.android.p2pmobile | PayPal Mobile Cash: Send and Request Money Fast |
| pl.bzwbk.bzwbk24 | Santander mobile |
| es.caixageral.caixageralapp | Banco Caixa Geral España |
| alior.bankingapp.android | Usługi Bankowe |
| eu.eleader.mobilebanking.pekao | Pekao24Makler |
| eu.eleader.mobilebanking.pekao.firm | PekaoBiznes24 |
| com.facebook.katana | |
| com.imaginbank.app | imaginBank - Your mobile bank |
| com.whatsapp | WhatsApp Messenger |
| com.snapchat.android | Snapchat |
| com.twitter.android | |
| org.telegram.messenger | Telegram |
| com.instagram.android | |
| com.viber.voip | Viber Messenger - Messages, Group Chats & Calls |
| es.lacaixa.mobile.android.newwapicon | CaixaBank |
| softax.pekao.powerpay | PeoPay |
| com.ebay.mobile | eBay: Buy, sell, and save money on home essentials |
| com.amazon.mshop.android.shopping | - |
| com.getingroup.mobilebanking | Getin Mobile |
| wit.android.bcpbankingapp.millenniumpl | - |
| com.konylabs.cbplpat | Citi Handlowy |
| es.caixagalicia.activamovil | ABANCA- Banca Móvil |
| com.moneybookers.skrillpayments.neteller | NETELLER - fast, secure and global money transfers |
| com.pcfinancial.mobile | Simplii Financial |
| com.td | TD Canada |
| cz.csob.smartbanking | ČSOB Smartbanking |
| com.airbitz | Bitcoin Wallet - Airbitz |
| clientapp.swiftcom.org | ePayments: wallet & bank card |
| de.number26.android | N26 — The Mobile Bank |
| au.com.ingdirect.android | ING Australia Banking |
| com.payoneer.android | Payoneer – Global Payments Platform for Businesses |
| com.cimbmalaysia | CIMB Clicks Malaysia |
| eu.eleader.mobilebanking.invest | plusbank24 |
| com.moneybookers.skrillpayments | Skrill - Fast, secure online payments |
| com.mycelium.wallet | Mycelium Bitcoin Wallet |
| uk.co.santander.santanderuk | - |
| com.aff.otpdirekt | OTP SmartBank |
| com.kasikorn.retail.mbanking.wap | K PLUS |
| com.krungsri.kma | KMA |
| com.scb.phone | SCB EASY |
| com.netflix.mediaclient | Netflix |
| com.bendigobank.mobile | Bendigo Bank |
| com.citibank.citibankmy | - |
| com.konylabs.hongleongconnect | - |
| org.banksa.bank | BankSA Mobile Banking |
| org.bom.bank | Bank of Melbourne Mobile Banking |
| at.volksbank.volksbankmobile | Volksbank hausbanking |
| net.bnpparibas.mescomptes | Mes Comptes BNP Paribas |
| com.ocito.cdn.activity.creditdunord | Crédit du Nord pour Mobile |
| pl.bph | BusinessPro Lite |
| pt.bancobpi.mobile.fiabilizacao | BPI APP |
| pt.novobanco.nbapp | NB smart app |
| pt.santandertotta.mobileparticulares | Santander Particulares |
| com.bankofqueensland.boq | BOQ Mobile |
| fr.laposte.lapostemobile | La Poste - Services Postaux |
| com.cic_prod.bad | CIC |
| com.fortuneo.android | Fortuneo, mes comptes banque & bourse en ligne |
| nz.co.asb.asbmobile | ASB Mobile Banking |
| pl.bzwbk.ibiznes24 | iBiznes24 mobile |
| pl.millennium.corpapp | - |
| net.garagecoders.e_llavescotiainfo | ScotiaMóvil |
| com.credemmobile | - |
| it.carige | Carige Mobile |
| eu.inmite.prj.kb.mobilbank | Mobilni Banka |
| jp.co.netbk | 住信SBIネット銀行 |
| au.com.cua.mb | CUA Mobile Banking |
| com.advantage.raiffeisenbank | - |
| com.bankaustria.android.olb | Bank Austria MobileBanking |
| com.barclays.android.barclaysmobilebanking | Barclays |
| com.bochk.com | BOCHK |
| com.htsu.hsbcpersonalbanking | HSBC Mobile Banking |
| com.anz.android.gomoney | ANZ Australia |
| com.bankia.wallet | Bankia Wallet |
| com.fusion.banking | Bank Australia app |
| com.fusion.beyondbank | Beyond Bank Australia |
| com.greater.greater | - |
| com.bancsabadell.wallet | Sabadell Wallet |
| es.bancosantander.wallet | Santander Wallet |
| com.fullsix.android.labanquepostale.accountaccess | La Banque Postale |
| com.cajamar.cajamar | - |
| wit.android.bcpbankingapp.millennium | - |
| enterprise.com.anz.shield | ANZ Shield |
| com.fibabanka.mobile | Fibabanka Corporate Mobile |
| com.mobileloft.alpha.droid | myAlpha Mobile |
| mbanking.nbg | - |
| com.eurobankefg | - |
| es.bancopopular.nbmpopular | Popular |
| ktbcs.netbank | Krungthai NEXT |
| com.bbva.bbvawallet | BBVA Wallet Spain. Mobile Payment |
| com.bancomer.mbanking | BBVA México (Bancomer Móvil) |
| ar.com.santander.rio.mbanking | Santander Argentina |
| com.mercadolibre | Mercado Libre: compra fácil y rápido |
| es.santander.money | Santander Money Plan |
| com.dhanlaxmi.dhansmart.mtc | Dhanlaxmi Bank Mobile Banking |
| com.infrasofttech.centralbank | - |
| com.infrasofttech.mahabank | - |
| com.msf.kbank.mobile | Kotak - 811 & Mobile Banking |
| com.sbi.sbanywherecorporate | - |
| com.snapwork.hdfc | HDFC Bank MobileBanking |
| com.samba.mb | SambaMobile |
| eu.netinfo.colpatria.system | Scotiabank Colpatria |
| com.todo1.mobile | Bancolombia App Personas |
| org.westpac.bank | Westpac Mobile Banking |
| au.com.suncorp.suncorpbank | - |
| au.com.pnbank.android | P&N BANKING APP |
| com.ing.mobile | ING Bankieren |
| com.tfkb | Türkiye Finans Mobile Branch |
| finansbank.enpara.sirketim Enpara.com | Şirketim Cep Şubesi |
| com.google.android.play.games | Google Play Games |
| com.icomvision.bsc.tbc | TBC Bank |
| com.citi.citimobile | Citi Mobile® |
| com.tdbank | TD Bank (US) |
| com.unionbank.ecommerce.mobile.android | Union Bank Mobile Banking |
| com.comarch.security.mobilebanking | ING Business |
| de.sdvrz.ihb.mobile.secureapp.sparda.produktion | SpardaSecureApp |
| au.com.bankwest.mobile | Bankwest |
| com.hsbc.hsbcnet | HSBCnet Mobile |
| com.nearform. | ptsb permanent tsb |
| org.banking.bom.businessconnect | Bank of Melbourne Business App |
| org.banking.bsa.businessconnect | BankSA Business App |
| org.banking.stg.businessconnect | St.George Business App |
| org.westpac.col | Westpac Corporate Mobile |
| ca.bnc.android | National Bank of Canada |
| ca.servus.mbanking | Servus Mobile Banking |
| co.bitx.android.wallet | Luno: Buy Bitcoin, Ethereum and Cryptocurrency |
| com.acceltree.mtc.screens | Alawwal Mobile |
| enbd.mobilebanking | Emirates NBD |
| lt.spectrofinance.spectrocoin.android.wallet | Bitcoin Wallet by SpectroCoin |
| com.skype.raider | Skype - free IM & video calls |
| com.barclaycardus | Barclays US |
| com.grppl.android.shell.bos | - |
| com.rbs.mobile.android.natwest | NatWest Mobile Banking |
| com.rbs.mobile.android.rbs | Royal Bank of Scotland Mobile Banking |
| tsb.mobilebanking | TSB Bank Mobile Banking |
| net.inverline.bancosabadell.officelocator.activobank | ActivoBank |
As you can see there is a massive number of affected apps so be super careful with what you are doing and I would strongly advise everyone reading this to audit your apps and if you don't need it, bin it!
I never touch droids, ever since the Jawa sold me a bum one. Looks like this is a case for Mulder and Scully - the truth is out there.
Haha, so many innuendos! Mad skills yo!
@hetty-rowan did her job, BTW
TY moon-unit and Hettie!
🙄😋
The word has to go out as much as possible
Very very useful ... and thank you for checking all of this out. Now going to reblog your post and check my phone out once again. Maybe also worth to mention that malwarebytes for android didn't find this trojan on my phone. So if it happened to me because of the trojan, than you can't trust on malwarebytes. Unfortunately
😟
I believe that would be more that the malwarebytes signatures wouldn't have the signature included in its new updates. I would imagine we will see updates from the likes of malwarebytes and also we'll see Google scanning the play store too.
I hope to see the updates soon because it's really not a fun thing to have it happening. And luckily they weren't able to steal from me this time, but still rather not go through that once again ...
Yes let's hope Google will be alert soon too.
That is a very scary list!!!! Thanks for letting us know.
Post upvoted and reblogged @moonunit. I still don't see what can be done, other than simply don't use the effected apps, so if you have or come up with more insight about that, please share
Thank you @jerrysuseer I try to keep myself up to date on new attacks. When they involve the crypto space I do all I can to get the word out to as many as possible.
I copied most of the details of your post, used it as the basis of a msg I sent to the two banks that I use, Wells Fargo, and USAA that I was concerned about this new virus.
WF replied that they had checked and there was no virus in their system.
I thank you for the heads up, and I've warned my friends to beware of it as well.
Thank you @moonunit
That is great that they responded to you but they should't have been scanning their system. The issue is not with them specifically, rather with the infrastructure its running on I.E. Android. The compromised app once installed is logging information that should be secured in a TEE (trusted execution envirnoment) which is a secure part of the CPU on your device. This would be best practice for android devices but they may not use it due to lazy devs etc. Apple do not use TEE on their devices, they use TAP (trusted application protocol I believe) just as an FYI.
I haven't seen the detail on where the malware is picking up the information, I.E. if its in a TEE but I highly doubt it. I would say that it is monitoring transactions like device to server etc.
Whenever there is a buck to be made by scamming people are going to do it, it's why decentralisation and education and healthy scepticism and distrust of systems are important. Getting into crypto means taking responsibility in many ways people may not be ready for
Posted Using LeoFinance Beta
Yes, very true. Scammers be scamming. It is on the users to keep themselves safe. I do what I can to try to raise awareness. Thanks for checking it out.
Thank you!
No, Thank you. I am glad you read through and I hope it helps you to avoid being caught up in any way.
I have an Android, and looked through and saw some apps I had THOUGHT about downloading, but never did ... it was near enough, and it is good to know what to avoid -- thank YOU!
Thanks for this great info!
No problem at all. I do what I can to help when I can.
Thank you for the heads-up and warning!
No problem, Just trying to spread the word as much as possible. We are all crypto folk here.