A newly discovered trojan, known as Alien, is attacking crypto apps on Android phones, including Coinbase, Blockchain.com, and Luno. This new malware strain is based on the notorious Cerberus trojan, which wreaked havoc in the Google Play store until the team responsible became complacent. Lack of continued distribution allowed Google Play Protect to almost completely eradicate Cerberus by August 2020.

Alien targets 226 Android apps, mostly geared toward the banking industry. In addition to stealing user credentials, the malware can install and remove applications from the infected device, and even intercept notifications:

“Most importantly, it offers a notifications sniffer, allowing it to get the content of all notifications on the infected device, and a RAT (Remote Access Trojan) feature (by abusing the TeamViewer application), meaning that the threat actors can perform the fraud from the victim’s device.”

The choice of Coinbase and Blockchain.com is understandable as these are two of the most popular crypto apps. It is less clear why the hackers targeted the much smaller Luno exchange (which was recently acquired by the Digital Currency Group), yet omitted (so far as we know) other industry giants like Binance.