Nasty Android malware steals passwords from over 200 apps — what to do now

Close-up of a 'small gray' alien's face in an illustration.
(Image credit: adike/Shutterstock)

A new strain of Android malware steals passwords from Facebook, Google, WhatsApp and more than 200 other apps, swipes Google Authenticator two-factor-authentication codes, steals contact lists, logs keystrokes and installs apps. It could even give hackers near-total control of your phone. 

The ultimate aim is to take over your online accounts, especially bank accounts, and steal your money.

Dubbed "Alien" by its creators, the malware is a new variant on the Cerebus banking Trojan, which went open-source in August after Android's built-in Play Protect threat detector learned how to spot it. This new bug doesn't have that problem, say researchers at Amsterdam-based information-security firm ThreatFabric.

The Alien malware embeds itself in fake fitness apps, fake Flash Player apps, fake coronavirus-related apps and even fake versions of Google Update. ThreatFabric thinks the apps are mainly distributed via malicious websites and SMS text messages. 

"A lot of it seems distributed via phishing sites, for example [a] malicious page tricking the victims into downloading fake software updates or fake Corona apps," ThreatFabric malware analyst Gaetan van Diemen told ZDNet's Catalin Cimpanu

"Another method observed to be used is the SMS — once they infect a device they collect the contact list which they then reuse for further spreading of their malware campaign." 

One more thing: Upon installation, Alien-infected apps will ask for permission to get administrative privileges on your phone, which will give them powers over other apps and system settings. Generally, only antivirus apps and find-my-device features should have such privileges.

How to protect yourself from Alien malware

To protect yourself from Alien and other information-stealing mobile malware, never download an Android app from outside the Google Play Store — especially when that app comes to you through a random website or message. But even Google Play has malware sometimes, so you'll need to install and use one of the best Android antivirus apps. 

And definitely do not grant administrative privileges to random apps, or to any apps at all unless there's a very specific reason for the app to have them.

More than 200 apps targeted by Alien malware

The Alien malware has already been modified to target users in more than a dozen different countries, led by Spain, Turkey, Germany and the United States. 

It captures user passwords by generating fake screens that mimic the login pages of at least 226 different Android apps, most of them banks in the targeted countries. Some cryptocurrency apps are also targeted.

Among leading banks in the U.S., Canada and the United Kingdom, the targeted institutions include Bank of America, Capitol One, Citibank, Chase, Fifth Third, SunTrust, TD Bank, US Bank, Wells Fargo, BMO, CIBC, National Bank of Canada, RBC, TD Canada, Barclays, HSBC, Lloyds Bank, NatWest, Royal Bank of Scotland and TSB.

Alien doesn't limit itself to banking apps. Some cryptocurrency apps are also targeted, naturally, but so are apps for many of the most widely used online services, including Amazon, AT&T, eBay, Facebook, Gmail, Google Play, Google Play Games, Instagram, Netflix, Outlook, PayPal, Skype, Snapchat, Telegram, Twitter, USAA, Viber, WhatsApp and Yahoo Mail. 

Seizing control over any of those accounts would give the attackers a pretty deep insight into a person's life. For example, email accounts could be leveraged to seize other accounts that send lost-password reset codes to users' email addresses. 

The fact that Alien can also read SMS messages and one-time codes generated by Google Authenticator means that many forms of two-factor authentication aren't safe.

What Alien can do on your phone

The full list of Alien's abilities is pretty breathtaking. ThreatFabric lists them as:

  • Keylogging
  • Remote access
  • SMS harvesting: SMS listing
  • SMS harvesting: SMS forwarding
  • Device info collection
  • Contact list collection
  • Application listing
  • Location collection
  • Overlaying: Targets list update
  • SMS: Sending
  • Calls: USSD request making
  • Calls: Call forwarding
  • Remote actions: App installing
  • Remote actions: App starting
  • Remote actions: App removal
  • Remote actions: Showing arbitrary web pages
  • Remote actions: Screen-locking
  • Notifications: Push notifications
  • C2 Resilience: Auxiliary C2 list
  • Self-protection: Hiding the App icon
  • Self-protection: Preventing removal
  • Self-protection: Emulation-detection
  • Architecture: Modular

If none of the regular methods to grab user passwords work, Alien has an ace up its sleeve, one that its predecessor Cerberus never had. 

Thanks to its ability to install apps on its own, Alien can install the TeamViewer remote-control and screen-sharing app to be used as a remote-access Trojan (RAT).

That will give the attackers near-total visibility into, and in most cases total control over, your phone. They'll be able to see everything you do on the phone and to often do things themselves.

The one saving grace is that once TeamViewer is installed by the crooks, it will show up in your app tray and you'll be able to see that it's there — and remove it. However, ThreatFabric  says that may not be the case for much longer.

"It would be logical for them to improve the RAT, which is currently based on TeamViewer (and therefore visible when installed and executed on the device)," the ThreatFabric blog post said. 

"What can be considered for granted is that the number of new banking Trojans will only continue growing, many embedding new and improved features to increase the success rate of fraud."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.