Discovered this month, the new banking Trojan, dubbed “Xenomorph”, transits via the Play store
and has already been downloaded by more than 50,000 people.
Are the Aliens coming among us? That’s almost it… ThreatFabric, a Dutch cyber company specializing in the fight against banking computer crime, has discovered new malware in recent weeks. It takes the form of a Trojan horse and hides in fake mobile applications that can be found on the Google Play Store, the store of the Mountain View company.
In appearance, a banal data cleaning application
Named Xenomorph, in reference to another banking trojan itself called Alien, from which Xenomorph recovered certain parameters, the malware is much more dangerous, in that it was initially able to escape the radars of Google and Android . Its activity is already very important and its functionalities are different from its predecessor, some not even being implemented yet.
ThreatFabric researchers found that Xenomorph was deployed on more than 50,000 devices, belonging to owners who were apparently customers from 56 different European banks.
These 50,000 downloads are to the credit of an application – Fast Cleaner, since withdrawn from the Play Store – whose main functionalities allow, on paper and from the point of view of the uninformed user, to clean up their device and purge it of unnecessary data.
Accessibility-intensive malware that works through the overlay attack
In fact, this rogue application belongs to the family of droppers (or injectors) Gymdrop, discovered a few months before, thanks to the deployment of the Alien.A payload. But contrary to what was done in the time of Alien.A, the server that hosts the malicious code also contains two other families of malware, in addition to Alien: ExobotCompact.D, regularly used in malicious campaigns through banking applications from the Play Store, and the famous Xenomorph, which is brand new.
Xenomorph works through the overlay attack. The malware requests permissions for accessibility services (always beware of an app that asks for full control over your smartphone!), opening a web page on top of the app that tricks the user into entering their identifiers, then stolen by the malware, without the possibility of realizing that he is actually browsing on a fake connection screen to his banking application.
Worse still, Xenomorph has the ability to intercept double authentication notifications and SMS, supposed to deliver single-use codes. Once the trojan is up and running, its background services receive accessibility events whenever the user performs an action on the device. If the application he opens is part of the Xenomorph list, then the overlay injection takes place again, and the user will then communicate his identifiers to the hacker.
Described as ” scalable and updatable “, Xenomorph has something to worry about, especially since it is still in its infancy. Its code is designed in such a way that it can support many more features in the future. For now, Spain, Italy, Belgium and Portugal are among its priority targets. But it also affects email services and cryptocurrency wallets.
On the same subject :
RedLine Stealer malware disguises itself as a Windows 11 update
Source: ThreatFabric
6