Red Alert 2.0

Red Alert 2.0 is a banking trojan that masquerades as a VPN client.[1]

ID: S0539
Platforms: Android
Version: 1.0
Created: 14 December 2020
Last Modified: 16 December 2020

Techniques Used

Domain ID Name Use
Mobile T1433 Access Call Log

Red Alert 2.0 can collect the device’s call log.[1]

Mobile T1432 Access Contact List

Red Alert 2.0 can collect the device’s contact list.[1]

Mobile T1418 Application Discovery

Red Alert 2.0 can obtain the running application.[1]

Mobile T1412 Capture SMS Messages

Red Alert 2.0 can collect SMS messages.[1]

Mobile T1476 Deliver Malicious App via Other Means

Red Alert 2.0 has been distributed via webpages designed to look like the Play Store.[1]

Mobile T1401 Device Administrator Permissions

Red Alert 2.0 can request device administrator permissions.[1]

Mobile T1407 Download New Code at Runtime

Red Alert 2.0 can download additional overlay templates.[1]

Mobile T1411 Input Prompt

Red Alert 2.0 has used malicious overlays to collect banking credentials.[1]

Mobile T1444 Masquerade as Legitimate Application

Red Alert 2.0 has masqueraded as legitimate media player, social media, and VPN applications.[1]

Mobile T1406 Obfuscated Files or Information

Red Alert 2.0 has stored data embedded in the strings.xml resource file.[1]

Mobile T1582 SMS Control

Red Alert 2.0 can send SMS messages.[1]

Mobile T1437 Standard Application Layer Protocol

Red Alert 2.0 has communicated with the C2 using HTTP.[1]

Mobile T1509 Uncommonly Used Port

Red Alert 2.0 has communicated with the C2 over port 7878.[1]

Mobile T1481 Web Service

Red Alert 2.0 can fetch a backup C2 domain from Twitter if the primary C2 is unresponsive.[1]