Xenomorph banking app malware discovered
As ThreatFabric notes, hackers are always looking for new ways to spread malicious software via the Google Play Store. Google is fighting too, but mighty hackers are always one step ahead. A recent example was the Fast Cleaner app. It claimed to speed up Android phones by removing clutter, but in reality, Fast Cleaner was a dropper for Xenomorph banking app malware.
What ThreatFabric found after analyzing the app:
On analysis of the app, this app was considered as belonging to the Gymdrop dropper family. Gymdrop is a dropper family discovered by ThreatFabric in November 2021. Earlier it was seen deploying Alien.A payload. From the configuration downloaded by Dropper, ThreatFabric was able to confirm that the Dropper family continues to adopt this malware family as its payload. The servers that hosted the malicious code also included two other malware families, which were returned instead of aliens based on specific triggers. In addition to spreading the Alien and Exobot Trojans, the app also contained a new malware family. And that’s how Threatfabrik discovered xenomorphs for the first time.
What can Xenomorph do:
According to ThreatFabric, Xenomorph is still under development, but is already worth wreaking havoc. The first target of malware is to use overlay attacks to steal the credentials of banking apps. It can also intercept text and notifications to login and use 2FA tokens. ThreatFabric also states that Xenomorph is designed to be “scalable and updateable.”
The information stored by the logging capacity of this malware is huge. Security researchers at ThreatFabric cautioned in their article that if sent back to C2 servers, it could be used to implement keylogging as well as collect personal data on victims. Installed apps even if they are not part of the target list.
Like most other banking app malware, Xenomorph relies on users giving it access to their devices. Once it infects a device, the malware will ask for specific rights to the Accessibility Service. If it gets those special rights then it can login to everything that happens on the device.
This malware has so far targeted users in Spain, Portugal, Italy and Belgium. Although it is still in the early stages of development. Users say that it has a lot of power. Currently, Xenomorph has been able to abuse Accessibility Services, uninstall and block SMS and notifications to steal personal information from unknown victims and may even become more dangerous in the future.