This Trojan is proving to be a nightmare for banks like BBVA, Santander or CaixaBank: this is Xenomorph

Dangerous malware has taken over numerous Android mobile devices with the intention of collecting banking information from major banking apps. Dubbed ‘Xenomorph’ by the security firm ThreatFabric, this Trojan has already affected users from 56 different European banks, targeting Spain, Portugal, Italy and Belgium.

This malware was detected by said company during this same month of February, and has been distributed through the Google Play Store through applications that are not harmful a priori. Everything indicates that this Trojan has been installed more than 50,000 times.

A Trojan that is distributed through an Android app with thousands of downloads

According to ThreatFabric, this Trojan bears similarities to ‘Alien’, another banking malware known to be one of the most widespread in the last two years. However, although they share some lines of code, everything indicates that it is quite different in terms of functionality.

Biggest Password Stealing Malware Wants Windows 10 Users: It Arrives in a Fake Windows 11 Update

Even after Google’s efforts to purge its malware store, there are still some out there like this ‘Xenomorph’ which is proving to be a nightmare for European banking. One of the applications in which this Trojan has been found is in ‘Fast Cleaner’, an app to clean the device and optimize performance. ThreatFabric discovered this because the said app belonged to the Gymdrop dropper family. A dropper is an application that contains malicious code to be injected into users’ devices. This dropper was also responsible for distributing the ‘Alien’ Trojan that we were talking about.


This Trojan is capable of collecting banking information via SMS notifications of two-factor authentication. From ThreatFabric they assure that Xenomorph can also be used to collect data from victims in installed applications that do not belong to its main objective.

The objective of this Trojan goes through banks based in Spain, Portugal, Italy and Belgium. Furthermore, it is also capable of collecting information from cryptocurrency wallets and email services. Among the 56 affected banks are those such as BBVA, CaixaBank, Santander, Unicaja, ING Direct, Bankinter, and many others. You can see the complete list through this link, right at the end of the article.

ThreatFabric assures that, with more time, this malware could evolve to highly worrying levels. Cybercriminals are using increasingly sophisticated methods, and Xenomorph is proof that droppers continue to be a serious problem in major app stores.