Pierluigi Paganini
February 21, 2022
Researchers from ThreatFabric have spotted a new Android banking trojan, dubbed Xenomorph, distributed via the official Google Play Store that has over 50,000 installations.
The banking Trojan was used to target 56 European banks and steal sensitive information from the devices of their customers.
The analysis of the code revealed the presence of not implemented features and the large amount of logging present, a circumstance that suggests that this threat is under active development.
Xenomorph shares overlaps with the Alien banking trojan, but it has functionalities radically different from the Alien’s one.
Researchers speculate that the two malware could have been developed by the same actor, or at least by someone familiar with the codebase of the Alien banking Trojan.
Alien was spotted by ThreatFabric in September 2020, it implements multiple features allowing it to steal credentials from 226 applications. Alien operation was providing a Malware-as-a-Service (MaaS) an it was advertised on several underground hacking forums. According to researchers, Alien borrows portions of the source code from the Cerberus malware.
ThreatFabric pointed out that Cerberus operators attempted to sell their project because several issues in the malware remained unsolved for a long time due to shortcomings of the development team in the criminal gang. The delay in addressing the problems allowed Google Play Protect to detect the threat on all infected devices. Alien is not affected by the same issues and this is the reason for the success of its MaaS model
Alien is considered a next-generation banking trojan that also implements remote-access features into its codebase.
Xenomorph, like Alien, was ably to bypass security protections implemented by Google Play Store, the researchers found it on the official store masqueraded as productivity apps such as “Fast Cleaner.”
Fast Cleaner (vizeeva.fast.cleaner) is still available on the Play Store, the analysis of the overlay revealed Xenomorph was developed to target users from Spain, Portugal, Italy, and Belgium, as well as some general-purpose applications like emailing services, and cryptocurrency wallets.
Xenomorph leverages the classic overlay attack powered by Accessibility Services privileges as an attack vector.
“Once the malware is up and running on a device, its background services receive accessibilty events whenever something new happens on the device. if the application opened is part of the list of targets, then Xenomorph will trigger an overlay injection and show a WebView Activity posing as the targeted package. Here as a few examples of triggered overlays” reads the analysis published by ThreatFabric. “In addition, the malware is able to abuse Accessibility Services to log everything that happens on the device. At the moment of writing, all the information gathered is only displayed on the local device logs, but in the future a very minor modification would be enough to add keylogging and Accessibility logging capabilities to the malware.”
Xenomorph shows the interest of crooks in exploiting Google Play Store to spread their malware and the effort they dedicate to bypass security checks implemented by Google.
“The surfacing of Xenomorph shows, once again, that threat actors are focusing their attention on landing applications on official markets. This is also a signal that the underground market for droppers and distribution actors has increased its activity, considering that we just very recently observed Medusa and Cabassous also being distributed side-by-side.” concludes the report. “Xenomorph currently is an average Android Banking Trojan, with a lot of untapped potential, which could be released very soon. Modern Banking malware is evolving at a very fast rate, and criminals are starting to adopt more refined development practices to support future updates. Xenomorph is at the forefront of this change.”
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Xenomorph)
[adrotate banner=”5″]
[adrotate banner=”13″]
