Researchers at Palo Alto Networks have reported that malware dubbed Xbot is targeting devices in Australia and Russia but predict that the malware may become widespread.

It is particularly worrisome as it attacks Android versions prior to 5.0, and using a technique called activity hacking, it targets online banking information. When a user attempts to launch an app, the malware launches a different app and the user has no idea that the launched app was redirected to a different one. It literally displays an interface that overlays the real app, and the user has no idea that it has happened. It is almost like an internal skimming device.

According to Palo Alto Labs, it has identified seven different fake interfaces of popular banks in Australia that use official app login interfaces and logos.

Xbot can also steal personal data from the device, including contacts and telephone numbers.

But wait, there’s more. Xbot can also display an interface that notifies the user that the device has been infected with CryptoLocker, a well-known ransomware. The hackers request payment of $100, to be paid through a fake PayPal site. Xbot can actually encrypt the files on the device’s external storage, so it has a double whammy affect—malware AND ransomware.

Although it is reported to be of limited use in only two countries at this time, as we have seen with other malware and ransomware, it doesn’t take long for it to become a threat everywhere.