A new malware called Xenomorph has infected tens of thousands of Android phones and is designed to steal information from financial accounts in Spain, Portugal, Italy and Belgium. The worst thing about it is that it is being distributed in supposedly innocuous apps from the official Google Play Store.
Researchers from cybercrime and fraud prevention company ThreatFabric, who analyzed this development, found code and clear links to the well-known Alien banking Trojan, hence its name. This suggests that the two threats are connected in some way. Either Xenomorph is the successor to Alien, or a cybercriminal has been working on both.
Xenomorph, extensive capabilities
Like others of its kind, it aims to steal sensitive financial information, take over bank accounts, conduct unauthorized transactions, and sell the stolen data to interested buyers. Xenomorph’s functionalities are not fully developed according to research, but the Trojan may pose a major threat as it targets 56 banks and could reach a potential “comparable to other modern Android banking Trojans«.
For example, malware can intercept notifications, log SMS, and use injections to perform overlay attacks, so it can already snatch credentials and one-time passwords used to protect bank accounts. After its installation, the first action it takes is to send a list of installed packages on the infected device to load the appropriate overlays.
To achieve the above, the malware requests permissions to be granted from the Accessibility Service at installation time and then abuses the privileges to grant itself additional permissions as needed: “Its accessibility engine is very verbose and is designed with a modular approach in mind. It contains modules for each specific action required by the bot and can be easily extended to support more functionality. It would not be surprising to see this bot with semi-ATS capabilities in the very near future«, ThreatFabric warns.
From the Play Store
Xenomorph malware has been distributed on the Google Play Store through generic applications claiming to “increase performance” such as “Fast Cleaner”. These utilities are a classic lure of banking Trojans and we have already seen this with Alien. To avoid rejection during app review in the store, Fast Cleaner fetches the payload after installation, so the app is clean at the time of submission.
Google has gone to great lengths to secure the Play Store, but malware is still being distributed from there. Users also have to contribute, downloading only the most trusted apps. Forget anything that promises to “increase performance.” They are just junk apps that do nothing as they promise. Or worse, they are used to distribute malware. Be careful, it is in Spain where this Xenomorph is most active