Malware

Xenomorph Android banking trojan distributed via Google Play Store

Xenomorph Android trojan has been observed distributed via the official Google Play Store targeting 56 European banks.

Researchers from ThreatFabric have spotted a new Android banking trojan, dubbed Xenomorph, distributed via the official Google Play Store that has over 50,000 installations.

The banking Trojan was used to target 56 European banks and steal sensitive information from the devices of their customers.

The analysis of the code revealed the presence of not implemented features and the large amount of logging present, a circumstance that suggests that this threat is under active development.

Xenomorph shares overlaps with the Alien banking trojan, but it has functionalities radically different from the Alien’s one. 

Researchers speculate that the two malware could have been developed by the same actor, or at least by someone familiar with the codebase of the Alien banking Trojan.

Alien was spotted by ThreatFabric in September 2020, it implements multiple features allowing it to steal credentials from 226 applications. Alien operation was providing a Malware-as-a-Service (MaaS) an it was advertised on several underground hacking forums. According to researchers, Alien borrows portions of the source code from the Cerberus malware.

ThreatFabric pointed out that Cerberus operators attempted to sell their project because several issues in the malware remained unsolved for a long time due to shortcomings of the development team in the criminal gang. The delay in addressing the problems allowed Google Play Protect to detect the threat on all infected devices. Alien is not affected by the same issues and this is the reason for the success of its MaaS model

Alien is considered a next-generation banking trojan that also implements remote-access features into its codebase.

Xenomorph, like Alien, was ably to bypass security protections implemented by Google Play Store, the researchers found it on the official store masqueraded as productivity apps such as “Fast Cleaner.”

Fast Cleaner (vizeeva.fast.cleaner) is still available on the Play Store, the analysis of the overlay revealed Xenomorph was developed to target users from Spain, Portugal, Italy, and Belgium, as well as some general-purpose applications like emailing services, and cryptocurrency wallets.

Xenomorph leverages the classic overlay attack powered by Accessibility Services privileges as an attack vector.

“Once the malware is up and running on a device, its background services receive accessibilty events whenever something new happens on the device. if the application opened is part of the list of targets, then Xenomorph will trigger an overlay injection and show a WebView Activity posing as the targeted package. Here as a few examples of triggered overlays” reads the analysis published by ThreatFabric. “In addition, the malware is able to abuse Accessibility Services to log everything that happens on the device. At the moment of writing, all the information gathered is only displayed on the local device logs, but in the future a very minor modification would be enough to add keylogging and Accessibility logging capabilities to the malware.”

Xenomorph shows the interest of crooks in exploiting Google Play Store to spread their malware and the effort they dedicate to bypass security checks implemented by Google.

“The surfacing of Xenomorph shows, once again, that threat actors are focusing their attention on landing applications on official markets. This is also a signal that the underground market for droppers and distribution actors has increased its activity, considering that we just very recently observed Medusa and Cabassous also being distributed side-by-side.” concludes the report. “Xenomorph currently is an average Android Banking Trojan, with a lot of untapped potential, which could be released very soon. Modern Banking malware is evolving at a very fast rate, and criminals are starting to adopt more refined development practices to support future updates. Xenomorph is at the forefront of this change.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Xenomorph)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

5 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

11 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

23 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

This website uses cookies.