Security Experts:

Connect with us

Hi, what are you looking for?



‘Xenomorph’ Android Trojan Targets 56 Banking Applications

More than 50,000 individuals have downloaded a new Android banking trojan through Google Play, according to online fraud detection firm ThreatFabric.

More than 50,000 individuals have downloaded a new Android banking trojan through Google Play, according to online fraud detection firm ThreatFabric.

Dubbed Xenomorph, the malware has limited features, but appears to be under development, with more capabilities likely to be added in future versions.

Additionally, the threat shows similarities with the infamous banking trojan Alien, from which it borrows some class names and strings, despite packing completely different functionality.

“This fact, in addition to the presence of not implemented features and the large amount of logging present on the malware, may suggest that this malware might be the in-progress new project of either the actors responsible with the original Alien, or at least of someone familiar with its code base,” ThreatFabric says.

[READ: Mobile Malware Attacks Dropped in 2021 but Sophistication Increased]

Xenomorph has been distributed through malicious applications that slipped into Google Play by disguising as legitimate programs. One of them – called “Fast Cleaner” and supposedly meant to help users speed up their devices – had gathered more than 50.000 installations by the time it was discovered.

The application was acting as a dropper and ThreatFabric identified it as part of the Gymdrop dropper family, which was previously seen deploying Alien, but which has since been repurposed to deliver other malware.

Once up and running on a victim’s device, Xenomorph can harvest device information and SMS messages, intercept notifications and new SMS messages, perform overlay attacks, and prevent users from uninstalling it. The threat also asks for Accessibility Services privileges, which allow it to grant itself further permissions.

The malware can steal victims’ banking credentials by overlaying fake login pages on top of legitimate ones. Because it can also intercept messages and notifications, it allows its operators to bypass SMS-based two-factor authentication and log into the victims’ accounts without alerting them.

[READ: Android Banking Trojan ‘Vultur’ Abusing Accessibility Services]

The threat downloads the overlays it needs after sending device information back to the command and control (C&C) server. It targets banking applications from Belgium, Italy, Portugal, and Spain, but also cryptocurrency wallets and some email applications.

Xenomorph is powered by the Accessibility engine and features a C&C protocol designed for scalability, ThreatFabric notes. Furthermore, the malware packs extensive logging capabilities, but does not send the logged data back to the C&C server.

Its code, the researchers say, contains a series of commands that haven’t been implemented yet, but which will turn it into a powerful piece of malware once implemented. Furthermore, its modular design makes it easy to add new functionality.

“Xenomorph currently is an average Android Banking Trojan, with a lot of untapped potential, which could be released very soon. Modern Banking malware is evolving at a very fast rate, and criminals are starting to adopt more refined development practices to support future updates. Xenomorph is at the forefront of this change,” ThreatFabric concludes.

Related: Tens of Thousands Download “AbstractEmu” Android Rooting Malware

Related: GriftHorse Android Trojan Infects Over 10 Million Devices Worldwide

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...