Red Alert 2.0

Red Alert 2.0 is a banking trojan that masquerades as a VPN client.[1]

ID: S0539
Platforms: Android
Version: 1.0
Created: 14 December 2020
Last Modified: 16 December 2020

Techniques Used

Domain ID Name Use
Mobile T1626 .001 Abuse Elevation Control Mechanism: Device Administrator Permissions

Red Alert 2.0 can request device administrator permissions.[1]

Mobile T1437 .001 Application Layer Protocol: Web Protocols

Red Alert 2.0 has communicated with the C2 using HTTP.[1]

Mobile T1407 Download New Code at Runtime

Red Alert 2.0 can download additional overlay templates.[1]

Mobile T1417 .002 Input Capture: GUI Input Capture

Red Alert 2.0 has used malicious overlays to collect banking credentials.[1]

Mobile T1655 .001 Masquerading: Match Legitimate Name or Location

Red Alert 2.0 has masqueraded as legitimate media player, social media, and VPN applications.[1]

Mobile T1509 Non-Standard Port

Red Alert 2.0 has communicated with the C2 using HTTP requests over port 7878.[1]

Mobile T1406 Obfuscated Files or Information

Red Alert 2.0 has stored data embedded in the strings.xml resource file.[1]

Mobile T1636 .002 Protected User Data: Call Log

Red Alert 2.0 can collect the device’s call log.[1]

.003 Protected User Data: Contact List

Red Alert 2.0 can collect the device’s contact list.[1]

.004 Protected User Data: SMS Messages

Red Alert 2.0 can collect SMS messages.[1]

Mobile T1582 SMS Control

Red Alert 2.0 can send SMS messages.[1]

Mobile T1418 Software Discovery

Red Alert 2.0 can obtain the running application.[1]

Mobile T1481 .001 Web Service: Dead Drop Resolver

Red Alert 2.0 can fetch a backup C2 domain from Twitter if the primary C2 is unresponsive.[1]