‘Xenomorph’ Android Trojan Targets 56 Banking Applications

More than 50,000 individuals have downloaded a new Android banking trojan through Google Play, according to online fraud detection firm ThreatFabric.

Dubbed Xenomorph, the malware has limited features, but appears to be under development, with more capabilities likely to be added in future versions.

Additionally, the threat shows similarities with the infamous banking trojan Alien, from which it borrows some class names and strings, despite packing completely different functionality.

“This fact, in addition to the presence of not implemented features and the large amount of logging present on the malware, may suggest that this malware might be the in-progress new project of either the actors responsible with the original Alien, or at least of someone familiar with its code base,” ThreatFabric says.

[READ: Mobile Malware Attacks Dropped in 2021 but Sophistication Increased]

Xenomorph has been distributed through malicious applications that slipped into Google Play by disguising as legitimate programs. One of them – called “Fast Cleaner” and supposedly meant to help users speed up their devices – had gathered more than 50.000 installations by the time it was discovered.

The application was acting as a dropper and ThreatFabric identified it as part of the Gymdrop dropper family, which was previously seen deploying Alien, but which has since been repurposed to deliver other malware.

Once up and running on a victim’s device, Xenomorph can harvest device information and SMS messages, intercept notifications and new SMS messages, perform overlay attacks, and prevent users from uninstalling it. The threat also asks for Accessibility Services privileges, which allow it to grant itself further permissions.

The malware can steal victims’ banking credentials by overlaying fake login pages on top of legitimate ones. Because it can also intercept messages and notifications, it allows its operators to bypass SMS-based two-factor authentication and log into the victims’ accounts without alerting them.

[READ: Android Banking Trojan ‘Vultur’ Abusing Accessibility Services]

The threat downloads the overlays it needs after sending device information back to the command and control (C&C) server. It targets banking applications from Belgium, Italy, Portugal, and Spain, but also cryptocurrency wallets and some email applications.

Xenomorph is powered by the Accessibility engine and features a C&C protocol designed for scalability, ThreatFabric notes. Furthermore, the malware packs extensive logging capabilities, but does not send the logged data back to the C&C server.

Its code, the researchers say, contains a series of commands that haven’t been implemented yet, but which will turn it into a powerful piece of malware once implemented. Furthermore, its modular design makes it easy to add new functionality.

“Xenomorph currently is an average Android Banking Trojan, with a lot of untapped potential, which could be released very soon. Modern Banking malware is evolving at a very fast rate, and criminals are starting to adopt more refined development practices to support future updates. Xenomorph is at the forefront of this change,” ThreatFabric concludes.

Related: Tens of Thousands Download “AbstractEmu” Android Rooting Malware

Related: GriftHorse Android Trojan Infects Over 10 Million Devices Worldwide