A new malware called Xenomorph has infected tens of thousands of Android phones and is designed to steal financial account information in Spain, Portugal, Italy and Belgium. The worst of the matter is that it is being distributed in supposedly innocuous apps from the official Google Play Store.
Researchers from cybercrime and fraud prevention company ThreatFabric, who analyzed this development, found code and clear links to the well-known Alien banking Trojan, hence its name. This suggests that the two threats are connected in some way. Either Xenomorph is the successor to Alien or a cyber criminal has been working on both.
Xenomorph, extensive capabilities
Like others of its kind, it aims to steal sensitive financial information, take over bank accounts, conduct unauthorized transactions, and sell the stolen data to interested buyers. Xenomorph functionalities are not fully developed according to research, but the Trojan can pose a major threat since it points to 56 banks and could reach a potential «comparable to other modern Android banking Trojans«.
For example, malware can intercept notifications, log SMS, and use injections to perform overlay attacks, so you can already snatch credentials and passwords single-use cards used to protect bank accounts. After its installation, the first action it performs is to send a list of the installed packages on the infected device in order to load the appropriate overlays.
To achieve the above, the malware requests permissions to be granted from the Accessibility Service at installation time and then abuses the privileges to grant itself additional permissions as needed: “Its accessibility engine is very detailed and designed with a modular approach in mind. It contains modules for each specific action required by the bot and can be easily extended to support more functionality. It would not be surprising to see this bot with semi-ATS capabilities in the very near future.«, they alert from ThreatFabric.
From the Play Store
Xenomorph malware has been distributed on the Google Play Store through generic applications that claim to “increase performance” such as “Fast Cleaner”. These utilities are classic lure of banking Trojans and we already saw it with Alien. To avoid rejection during app review in the store, Fast Cleaner fetches the payload after installation, so the app is clean at the time of submission.
Google has gone to great lengths to secure the Play Store, but malware is still being distributed from there. Users also have to contribute, downloading only the most trusted apps. Forget anything that promises to “increase performance.” They are just junk apps that do nothing as they promise. Or worse, they are used to distribute malware. Be careful, it is in Spain where this Xenomorph is most active
