A new Android malware that targets your online banking credentials and can hold your device’s files hostage in exchange for ransom has been introduced. The malware, called Xbot, is not widespread yet and appears to be just targeting devices in Australia and Russia, wrote researchers with Palo Alto Networks in a blog post on Thursday.
“As the author appears to be putting considerable time and effort into making this Trojan more complex and harder to detect, it’s likely that its ability to infect users and remain hidden will only grow,” Palo Alto wrote.

It essentially allows the malware to launch a different action when someone tries to launch an application. User are unaware that they’re actually using the wrong program or function. Activity hijacking take advantage of features in Android versions prior to 5.0. Google has since developed defenses against it, so only older devices or those that have not been updated would be affected.
In one type of attack, Xbot monitors the app a user has launched. If it is a particular online banking app, Xbot intervenes and displays an interface that obscures the real app.
Xbot can also bring up an interface through WebView saying the device has been infected with CryptoLocker, a well-known ransomware program. Ransomware encrypts files and then asks for payment for the decryption key. In this case, the attackers ask for US$100 to be paid through a spoofed PayPal site.
Xbot will actually encrypt files on the device’s external storage. However, the encryption algorithm used is weak, and it would be possible to recover the files, Palo Alto wrote.
Xbot can also scrape the phone for personal data, such as contacts, SMSes and phone numbers and send the data to the attackers.
Source http://www.timigate.com/2016/02/the-new-android-malware-that-steals.html#more