New Android Malware 'Alien' Targeting Coinbase Wallets Can Steal Passwords

A new Android malware, named "Alien", targeting financial apps is capable of stealing credentials from 226 applications including cryptocurrency apps like Coinbase, according to security researchers from ThreatFabric.

The researchers say Alien has been active since the beginning of 2020 and is being offered as a "Malware-as-a-Service (MaaS)" in underground forums. The team noted that Alien was based on the source code for Cerberus, a notorious malware that Google's security team was able to control by August 2020, Cointelegraph reported.

Alien, even though it has the same base code as Cerberus, is more advanced and can intercept Two-Factor Authentication (2FA) codes and mimic and overlay content on top of other apps. This makes Alien dangerous because it can fake screens and collect passwords, said news outlet ZDNet.

ZDNet also listed a number of Alien's advanced features, such as harvesting and forwarding SMS messages, getting remote access, logging in keyboard inputs, forward calls, installing other apps and sniffing notifications shown on mobile devices.

The researchers from ThreatFabric said such features mean it targets online accounts to steal money. And they were right, as they found out that Alien can show fake login pages to around 226 Android applications, such as Gmail, Facebook, as well as financial apps like Santander, CIBC Mobile Banking, Bank of Melbourne Mobile Banking and HSBC Mobile Banking. Notably, the malware can attack cryptocurrency apps on Android, including Blockchain.com, Luno, Mycelium and Coinbase.

If a Coinbase account gets compromised, Alien will be able to sniff its 2FA, password, login credentials and funds.

The ZDNet report said while some malicious apps can still get distributed on the Google Play Store, most of the time, they are distributed through other channels.

One way to easily spot an app already tainted by Alien is when it specifically asks for admin rights or access to the phone's Accessibility service. Another way to protect oneself against this malware is to not install apps from shady sites or grant them admin rights.