Red Alert 2.0¶
Banking trojan written entirely from scratch (not based on leaked source code) and sold as MaaS for $500/month. Discovered by SfyLabs (now ThreatFabric) in September 2017. Notable for being the first Android banking trojan to use Twitter as a C2 fallback mechanism and for actively blocking incoming bank calls to prevent fraud warnings from reaching victims.
Overview¶
| Property | Value |
|---|---|
| First Seen | September 2017 |
| Type | Banking trojan / MaaS |
| Attribution | Unknown (underground forum operator) |
| Aliases | Trojan-Banker.AndroidOS.Redalert (Kaspersky) |
Distribution¶
Rented on underground forums for $500/month. Distributed to victims via third-party app stores and phishing campaigns.
Capabilities¶
| Capability | Implementation |
|---|---|
| Overlay attacks | Fake login screens over 60+ banking and social apps (Instagram, Viber, WhatsApp) |
| SMS interception | 2FA bypass via SMS hijacking |
| Call blocking | Blocked and logged incoming calls from banks to prevent fraud alerts |
| Contact harvesting | Exfiltrated device contact list |
| Twitter C2 fallback | Retrieved new C2 addresses from a Twitter account when primary C2 was unreachable |
| Anti-detection | Randomized package names (e.g., com.dsufabunfzs.dowiflubs) |
Significance¶
Red Alert 2.0 introduced two techniques adopted by later families:
- Social media C2 fallback: When hardcoded C2 servers were unreachable, the bot retrieved new C2 addresses from a Twitter account. This dead-drop resolver technique later appeared in Medusa v2 (Telegram and X).
- Bank call blocking: Actively prevented banks from warning victims about suspicious activity. This became standard in modern banking trojans.