Xenomorph Android Banking Malware Supports Over 400 Banks.
First spotted by Threat Fabric back in February 2022, they decided to name it Xenomorph because it has close ties to another famous banking trojan named Alien.
Based on the intelligence they gathered back in 2022, 56 different European banks were among the targets of this then brand new Android malware trojan, distributed on the official Google Play Store, distributed as “Fast Cleaner”, an application aiming at speeding up the device by removing unused clutter and removing battery optimization blocks.
Fast Cleaner had over 50.000 installations and the targets were located in Spain, Italy, Germany and Portugal.
Android has always been the preferred smartphone target of cyber criminals and as such users should be very careful when downloading and installing apps, even from Google Playstore. Threat actors are finding more and more ways to sneak in their malware onto Google Playstore.
This particular malware was created with the intent of extending its capabilities over time and has been under heavy development, ever since it first appeared in the wild.
Xenomorph Version 2 was released in June, 2022.
The latest version of Xenomorph V3 was released by the threat actor calling themselves "Hadoken Security Group" in March 2023.
It is far more advanced than its predecessors:
"This new version of the malware adds many new capabilities to an already feature rich Android Banker, most notably the introduction of a very extensive runtime engine powered by Accessibility services, which is used by actors to implement a complete ATS framework. With these new features, Xenomorph is now able to completely automate the whole fraud chain, from infection to funds exfiltration, making it one of the most advanced and dangerous Android Malware trojans in circulation."
"In addition, the samples identified by ThreatFabric featured configurations with Target lists made of more than 400 banking and financial institutions, including several cryptocurrency wallets, with an increase of more than 6 times with comparison to its previous variants, including financial institutions from all continents."
"The first variants of Xenomorph were distributed by GymDrop, in February 2022. Later in the year we saw the Hadoken group switch distribution medium, trying out first BugDrop, and finally landing on Zombinder. In our case, Xenomorph v3 is deployed by a Zombinder app “bound” to a legitimate currency converter, which downloads as an “update” an application posing as Google Protect."
Top targets by country:
-
Spain
-
Turkey
-
Poland
-
United States
-
Australia
-
Canada
-
Italy
-
Portugal
-
France
-
Germany
-
UAE
-
India
-
Belgium
-
Others like Argentina, Austria, Brazil, Colombia, Denmark, Greece, Japan, Malaysia, Mexico, New Zealand, Peru, Uruguay...
Besides targeting banks it also supports cryptocoin theft, like Coinbase, Gemini, Okcoin, OKEx, Oxigenwallet.
Brazilian institutions targeted:
Xenomorph is MaaS ( malware as a service ) with a complete ATS framework and it is being promoted on its own website.
Here is the list of all commands supported by Xenomorph V3:
|
Command |
Description |
|
app_list |
Send List of installed apps |
|
inj_enable |
Enable injections |
|
inj_disable |
Disable Injections |
|
inj_list |
Not Implemented |
|
inj_update |
Request update of injections |
|
fg_enable |
Enable notification in Foreground |
|
fg_disable |
Disable notification in Foreground |
|
notif_ic_enable |
Enable Notification Intercept |
|
notif_ic_disable |
Disable Notification Intercept |
|
notif_ic_list |
Not Implemented |
|
notif_ic_update |
Not Implemented |
|
sms_log |
Log SMSs |
|
sms_ic_enable |
Enable SMS Intercept |
|
sms_ic_disable |
Disable SMS Intercept |
|
socks_start |
Start Socks server |
|
socks_stop |
Stop Socks server |
|
sms_ic_list |
Not Implemented |
|
sms_ic_update |
Not Implemented |
|
app_kill |
Kill Specified Application Process |
|
app_delete |
Not Implemented |
|
app_clear_cache |
Not Implemented |
|
self_kill |
Not Implemented |
|
self_cleanup |
Removes the malware itself |
|
app_start |
Start Specified Application |
|
show_push |
Show Push notification |
|
cookies_handler |
Obtain Cookies |
|
send_sms |
Send SMS |
|
make_ussd |
Run USSD Code |
|
call_forward |
Forward Call |
|
execute_rum |
Run ATS Module |
So what is ATS?
"ATS (Automated Transfer Systems) is used to define a set of features that allow criminals to automatically complete fraudulent transactions on infected devices. Such systems are able to automatically extract credentials, account balance, initiate transactions, obtain MFA tokens and finalize the fund transfers, without the need of human interaction from an operator."
How Xenomorph is being distributed on Google Playstore:
At the time of writing Xenomorph v3 is being distributed via the "Zombinder" platform on the Google Play store, posing as a currency converter and switching to using a Play Protect icon after installing its payload.
Read more here at ThreatFabrics blog.
How to protect your Android Device:
Download and install Malwarebytes for Android, it recognizes Xenomorph as Android/Trojan.Dropper.Xeno.
I could not find anything about Malwarebytes protecting against the latest version of Xenomorph V3 at the time of writing this article.
