Xenomorph Android Banking Trojan Targeting Users in US, Canada

Recently identified malware samples posing as a Chrome update but delivering a malicious APK, dubbed Xenomorph, have shown that the threat has matured, adding several new modules that make it more efficient. The malware has been revamped with dozens of new overlays catering to financial institutions and cryptocurrency wallets in the US, Portugal, Spain, and Canada. According to ThreatFabric, each of the lately analysed samples contain more than 100 malignly crafted overlays programmed to steal personal and financial information from victim devices. Additionally, new commands have been introduced to <prevent the device from going into sleep mode, and to simulate targeted touch activities on particular screen coordinate>. ThreatFabric further discovered that the malware operators were supplying the attacker access to a distribution server, which included fascinating details about the motivation behind this malevolent trojan. “This campaign is heavily centred around Spain, manifesting in some 3,000 downloads within just a period of few weeks,” escalated by “over 100 downloads pertaining to the United States and Portugal”, as concluded by the fraud detection company. They also uncovered evidence indicative of desktop users being victimized by the threat. Farely surprisingly, closely related desktop stealers were seen distributed alongside Xenomorph. This could mean that there are links between threat actors involved, or the serving of MaaS (Malware-as-a-Service) related solutions raising up coordination trends. Synchronously, others familiar of this baneful malware, likely leading to the heinous banking trojan Alien, encountered noted that Xenomorph utilises overlays to purloin users’ information in addition to disclosed two-factor authentication using intercepted notification and SMS messages.

Robert Wilson author
Articles: 12200