New Xenomorph Android malware targets more than 50 banking and financial apps


Some banking malware targets mobile devices and can quickly steal money from bank accounts. Discover Xenomorph, a new malware targeting Android and more than 50 banking and financial applications.

Image: iStockphoto/solarseven

In September 2020, ThreatFabric exposed a Android-based mobile malware called “Alien” which had striking capabilities, such as providing remote access to attackers, controlling SMS messages, stealing notifications, installing or removing apps, and collecting data on the phone it has infected.

TO SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)

This malware has since been updated and now provides banking Trojan capabilities to the cybercriminals controlling it, as reported by ThreatFabric. The new malware is dubbed Xenomorph.

From alien to xenomorph

Several elements have led ThreatFabric researchers to believe that the Xenomorph malware is an evolution of Alien.

The first clue is that the same HTML page is used to trick victims into granting Accessibility Services privileges, but it has been used by many other families.

More intriguingly, the researchers mention that “the style of variable naming used by Xenomorph is very reminiscent of Alien, though potentially even more detailed”, and that “the actual name of the shared preferences file used to store Xenomorph’s configuration : the file is named ring0.xml”.

In fact, ring0 is the nickname of the developer of the original Alien malware (Figure A).

Figure A

Image: ThreatFabric. A post from pseudo ring0 on a cybercrime forum and the reference in the code.

Additionally, several strings and peculiar class names are visible in both Alien and Xenomorph code (Figure B).

Figure B

Image: ThreatFabric. Identical log strings in Alien and Xenomorph code.

The Alien malware has more all-encompassing capabilities than Xenomorph, which is much more targeted at bank information theft.

You would think that the developer of Alien decided to create more specific malware that would only focus on financial theft.

Xenomorph infections

While Google is making efforts to fight malware on its Play Store, cybercriminals are still finding ways to circumvent it and have their malware distributed this way.

An app from the Play Store, dubbed “Fast Cleaner” whose described purpose is to speed up the device, has trickle-down capabilities: it downloads, drops, and executes malicious content (Figure C).

Figure C

Image: ThreatFabric. The Fast Cleaner app that downloads and installs Xenomorph in the background.

According to researchers, the Fast Cleaner app has downloaded and installed several different malware in the past, ExobotCompact.D and Alien.A malware families. But then he also started downloading and installing Xenomorph.

Xenomorph Abilities

Xenomorph is capable of deploying overlay attacks, which involve placing a window on top of a legitimate application, to prompt the user for credentials.

The malware also has the ability to intercept notifications, manage SMS and thus bypass SMS two-factor authentication.

As a common capability within malware, Xenomorph is able to update itself or its command and control server reference.

The banking Trojan is also developed with a very modular model: it is easy to add new functions to it. In fact, more functions are already implemented in the code, but not used yet: extended logging capabilities could be used in the future and allow the malware to collect much more information about the device usage and its user.

The overlay attack

As noted, Xenomorph has the ability to deploy layered attacks.

In order to perform the overlay attack, Xenomorph’s code contains a list of banking or financial applications that will trigger the overlay screen from the malware. This screen will ask the user for their data. A non-cautious user could then provide attackers with their credentials (Figure D) or credit card information.

Figure D

Image: ThreatFabric. Xenomorph’s overlay attack screen asking the user for their credit card information.

Xenomorph targets

The list of overlay targets returned by the banking Trojan includes targets from Spain, Italy, Belgium and Portugal, but also cryptocurrency wallets and email services (Figure E).

Figure E

Image: ThreatFabric. Targeted applications.

A full list of targeted apps was provided by the researchers in the report.

How to protect yourself from the xenomorph

To protect against Xenomorph and other mobile malware, several actions can be taken:

  • Avoid unknown stores. Unknown stores usually don’t have a malware detection process, unlike the Google Play Store. Do not install software on your Android device from untrusted sources.
  • This is not the case for Xenomorph but it can be useful to protect against other mobile malware: reboot often. Some highly stealthy malware does not have persistent mechanisms, so as not to be detected, so frequent rebooting can clean your device of this threat.
  • Carefully check the permissions requested when installing an application. Apps should only request permissions for necessary APIs. Before installing an app from the Google Play Store, scroll down the app’s description and click App permissions to check what it asks for. Users should be extra careful when an app asks for permission to manage SMS. For example, a cleaner application absolutely should not request this privilege, which can be used by banking Trojans like Xenomorph to bypass 2FA that uses SMS.
  • Note that immediate update requests after installation are suspicious. An app downloaded from the Play Store is assumed to be the latest version. If the app asks for update permission on the first run, immediately after installation, it is suspicious.
  • Check the application context. Is the app a developer’s first? Does it have very few reviews, maybe only five star reviews?
  • Use security apps on your Android device. Comprehensive security apps should be installed on your device to protect it.

Disclosure: I work for Trend Micro, but the opinions expressed in this article are my own.


About Author

Comments are closed.