Xenomorph Banking Trojan Infects 50,000 Android Devices to Steal Banking Credentials


Researchers at threat detection company ThreatFabric have discovered Xenomorph, a banking trojan similar to but functionally different from the Alien trojan. Xenomorph has already infiltrated 50,000 Android devices, mainly those used by customers of over four and a half dozen European banks and a dozen crypto wallets.

A new banking trojan with ties to the Alien and Cerberus trojans has emerged. Dubbed Xenomorph, the malware trojan shares some capabilities with Alien, leading researchers at ThreatFabric to speculate that it shares a codebase or its developers are in some way associated with Alien. However, Xenomorph is functionally quite different from the dreaded malware.

Xenomorph has begun targeting Android devices owned by the customers of 56 European banks and, through an innocent-looking device cleaner app, infiltrated more than 50,000 devices. However, researchers believe the banking trojan is still not fully developed. 

“This Android Banking malware is heavily under development, and mostly supports the minimum list of features required for a modern Android banking trojan,” ThreatFabric said. Like Alien and its now-defunct predecessor Cerberus, Xenomorph is designed to steal banking details such as credentials and personally identifiable information (PII) through overlay attacks.

An overlay attack involves hackers using an illicit app or a fake web page laid over a legitimate one. The fake app or webpage resembles the actual banking app, i.e., complete with fields for credentials, designed to trick the user into thinking they are accessing the legitimate banking app/page.

Worryingly, two-factor authentication (2FA) won’t help users because the new malware can intercept 2FA tokens from SMS and app notifications, log them and then inject them to access accounts.

“The information stored by the logging capability of this malware is very extensive, and if sent back to the C2 server, could be used to implement keylogging, as well as collecting behavioral data on victims and on installed applications, even if they are not part of the list of targets.”

See More: Privacy Sandbox for Android: A Genuine Privacy Move by Google or a PR Gimmick?

Xenomorph Functions | Source: ThreatFabricOpens a new window

Xenomorph also has an extensive but dormant Accessibility Engine which adds more functionality if activated, making ThreatFabric researchers believe it is still “an average Android Banking Trojan, with a lot of untapped potential.”

According to ThreatFabric, Xenomorph infiltrated over 50,000 Android devices by hiding inside Fast Cleaner, an Android app that declutters device memory and optimizes the battery. Fast Cleaner initially asks for all device access, which an unwitting user may grant for device cleanup. After the trojan gains access to a device, it runs in the background to track device operations and invokes the overlay attack as soon as it identifies any app from the defined list of targets.

Fast Cleaner has four distinct package identities (com.census.turkey, com.laundry.vessel, com.tip.equip, com.spike.old), all of which were kicked out from the Play Store. The use of the Play Store for the distribution of the trojanized app is a bold one, considering most threat actors rely on third-party app stores or websites to target Android device users.

So far, the handlers of Xenomorph have targeted users of 28 Spanish banks, 12 Italian ones, nine Belgian and seven Portuguese institutions, respectively. The threat actors, who are yet to be identified, also target customers of 12 cryptocurrency wallets and seven email services.

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!