Red Alert 2.0
Red Alert 2.0 is a banking trojan that masquerades as a VPN client.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1433 | Access Call Log |
Red Alert 2.0 can collect the device’s call log.[1] |
|
| Mobile | T1432 | Access Contact List |
Red Alert 2.0 can collect the device’s contact list.[1] |
|
| Mobile | T1418 | Application Discovery |
Red Alert 2.0 can obtain the running application.[1] |
|
| Mobile | T1412 | Capture SMS Messages |
Red Alert 2.0 can collect SMS messages.[1] |
|
| Mobile | T1476 | Deliver Malicious App via Other Means |
Red Alert 2.0 has been distributed via webpages designed to look like the Play Store.[1] |
|
| Mobile | T1401 | Device Administrator Permissions |
Red Alert 2.0 can request device administrator permissions.[1] |
|
| Mobile | T1407 | Download New Code at Runtime |
Red Alert 2.0 can download additional overlay templates.[1] |
|
| Mobile | T1411 | Input Prompt |
Red Alert 2.0 has used malicious overlays to collect banking credentials.[1] |
|
| Mobile | T1444 | Masquerade as Legitimate Application |
Red Alert 2.0 has masqueraded as legitimate media player, social media, and VPN applications.[1] |
|
| Mobile | T1406 | Obfuscated Files or Information |
Red Alert 2.0 has stored data embedded in the strings.xml resource file.[1] |
|
| Mobile | T1582 | SMS Control |
Red Alert 2.0 can send SMS messages.[1] |
|
| Mobile | T1437 | Standard Application Layer Protocol |
Red Alert 2.0 has communicated with the C2 using HTTP.[1] |
|
| Mobile | T1509 | Uncommonly Used Port |
Red Alert 2.0 has communicated with the C2 over port 7878.[1] |
|
| Mobile | T1481 | Web Service |
Red Alert 2.0 can fetch a backup C2 domain from Twitter if the primary C2 is unresponsive.[1] |
|