Xenomorph malware is currently under development yet it is being actively distributed on official Google Play Store.
Dutch cybersecurity firm ThreatFabric has revealed details of a newly discovered Android banking trojan hidden inside applications on the Google Play Store. ThreatFabric founder and CEO, Han Sahin, stated that there are more than 50,000 installations of this trojan, which the company dubbed Xenomorph, and its operators aim to reach the target of attacking 56 European banks and stealing sensitive data.
Malware Currently In-Development
According to ThreatFabric, Xenomorph malware is currently under development. However, despite that it features effective overlays and is actively distributed on official app stores, Sahin stated.
Furthermore, Xenomorph’s engine is “very detailed and modular” due to which it can exploit accessibility services. These capabilities may empower Xenomorph with highly advanced capabilities soon.
Similarities between Alien and Xenomorph
Researchers have noticed similarities between Xenomorph and another banking trojan called Alien. For your information, Alien was discovered in August 2020, shortly after the infamous Cerberus malware’s demise. Alien’s functionalities included 2FA theft and notification sniffing.
However, researchers also noted that Xenomorph was “radically different” from the remote access trojan (RAT) Alien in terms of functionalities. It is also suggested that Xenomorph is the next generation of Alien and quite possibly a single developer is behind both trojans.
Malware Infects via Google Play Store Apps
Unlike most malware out there that are distributed via phishing or compromised websites, Xenomorph is distributed through apps listed on official play stores, such as Google Play Store.
A majority of its targets are banking institutions in the European region, including Spain, Italy, Belgium, and Portugal while its primary objective is stealing money from its victims.
How Does it Infect Devices?
In a blog post, researchers stated that the malware circumvents Google Play Store’s security layers disguised as productivity apps like Fast Cleaner to deceive unsuspecting victims into installing it. Fast Cleaner (package name vizeeva.fast.cleaner) is relatively more popular in Spain and Portugal.
This app first appeared on the Play Store in late January 2022. Interestingly, the user reviews on the app contain warnings that the app contains malware. A user posted that it continually asks for confirmation of an update. These are signs that the app is malicious. Still, it boasts 50,000 installations.
How does it Steal Data?
Xenomorph prompts its victims to allow Accessibility Services privileges and abuses the permissions to carry out overlay attacks where it injects rogue login screens to steal credentials.
Additionally, the malware is equipped with a notification sniffing feature, which it uses to extract 2FA tokens the user receives via SMS and obtains the list of installed applications. It later exfiltrates the information to a remote C2 server.
Xenomorph’s functionalities prove that cybercriminals are focusing more on banking malware and targeting “landing applications on official markets.”
“Modern Banking malware is evolving at a very fast rate, and criminals are starting to adopt more refined development practices to support future updates,” researchers concluded.