Why You Shouldn't Use Microsoft Windows11.


LMDE5 - Linux Mint Debian Edition.

LMDE5 -...

Why Should I Not Use Windows10?

Here are a...

Xenomorph Android Banking Malware Supports Over 400 Banks

Xenomorph Android Banking Malware Supports Over 400 Banks

Xenomorph Android Banking Malware Supports Over 400 Banks.

First spotted by Threat Fabric back in February 2022, they decided to name it Xenomorph because it has close ties to another famous banking trojan named Alien.

Based on the intelligence they gathered back in 2022, 56 different European banks were among the targets of this then brand new Android malware trojan, distributed on the official Google Play Store, distributed as “Fast Cleaner”, an application aiming at speeding up the device by removing unused clutter and removing battery optimization blocks.

Fast Cleaner had over 50.000 installations and the targets were located in Spain, Italy, Germany and Portugal.

Android has always been the preferred smartphone target of cyber criminals and as such users should be very careful when downloading and installing apps, even from Google Playstore. Threat actors are finding more and more ways to sneak in their malware onto Google Playstore.

This particular malware was created with the intent of extending its capabilities over time and has been under heavy development, ever since it first appeared in the wild.

Xenomorph Version 2 was released in June, 2022.

The latest version of Xenomorph V3 was released by the threat actor calling themselves "Hadoken Security Group" in March 2023.

It is far more advanced than its predecessors:

"This new version of the malware adds many new capabilities to an already feature rich Android Banker, most notably the introduction of a very extensive runtime engine powered by Accessibility services, which is used by actors to implement a complete ATS framework. With these new features, Xenomorph is now able to completely automate the whole fraud chain, from infection to funds exfiltration, making it one of the most advanced and dangerous Android Malware trojans in circulation."

"In addition, the samples identified by ThreatFabric featured configurations with Target lists made of more than 400 banking and financial institutions, including several cryptocurrency wallets, with an increase of more than 6 times with comparison to its previous variants, including financial institutions from all continents."

"The first variants of Xenomorph were distributed by GymDrop, in February 2022. Later in the year we saw the Hadoken group switch distribution medium, trying out first BugDrop, and finally landing on Zombinder. In our case, Xenomorph v3 is deployed by a Zombinder app “bound” to a legitimate currency converter, which downloads as an “update” an application posing as Google Protect."

Top targets by country:

  1. Spain
  2. Turkey
  3. Poland
  4. United States
  5. Australia
  6. Canada
  7. Italy
  8. Portugal
  9. France
  10. Germany
  11. UAE
  12. India
  13. Belgium
  • Others like Argentina, Austria, Brazil, Colombia, Denmark, Greece, Japan, Malaysia, Mexico, New Zealand, Peru, Uruguay...

Besides targeting banks it also supports cryptocoin theft, like Coinbase, Gemini, Okcoin, OKEx, Oxigenwallet.

Brazilian institutions targeted:

Xenomorph is MaaS ( malware as a service ) with a complete ATS framework and it is being promoted on its own website.

Here is the list of all commands supported by Xenomorph V3:

Command Description
app_list Send List of installed apps
inj_enable Enable injections
inj_disable Disable Injections
inj_list Not Implemented
inj_update Request update of injections
fg_enable Enable notification in Foreground
fg_disable Disable notification in Foreground
notif_ic_enable Enable Notification Intercept
notif_ic_disable Disable Notification Intercept
notif_ic_list Not Implemented
notif_ic_update Not Implemented
sms_log Log SMSs
sms_ic_enable Enable SMS Intercept
sms_ic_disable Disable SMS Intercept
socks_start Start Socks server
socks_stop Stop Socks server
sms_ic_list Not Implemented
sms_ic_update Not Implemented
app_kill Kill Specified Application Process
app_delete Not Implemented
app_clear_cache Not Implemented
self_kill Not Implemented
self_cleanup Removes the malware itself
app_start Start Specified Application
show_push Show Push notification
cookies_handler Obtain Cookies
send_sms Send SMS
make_ussd Run USSD Code
call_forward Forward Call
execute_rum Run ATS Module

So what is ATS?

"ATS (Automated Transfer Systems) is used to define a set of features that allow criminals to automatically complete fraudulent transactions on infected devices. Such systems are able to automatically extract credentials, account balance, initiate transactions, obtain MFA tokens and finalize the fund transfers, without the need of human interaction from an operator."

How Xenomorph is being distributed on Google Playstore:

At the time of writing Xenomorph v3 is being distributed via the "Zombinder" platform on the Google Play store, posing as a currency converter and switching to using a Play Protect icon after installing its payload.

Read more here at ThreatFabrics blog.

How to protect your Android Device:

Download and install Malwarebytes for Android, it recognizes Xenomorph as Android/Trojan.Dropper.Xeno.

I could not find anything about Malwarebytes protecting against the latest version of Xenomorph V3 at the time of writing this article.


Help us by donating a small amount

If you find this site helpful, please consider donating a small amount.
Please use our contact us form and we will give you the relevant information to make a donation.
We accept BitCoin and ZCash at the moment.

Games For Linux

Windows has always been the preferred platform for gaming, but after STEAM's interest in Linux more game developers are making their games natively available for Linux.


All information on this website is published in good faith and for general educational purposes and for use in safe testing environments only. While linuxexperten.com strives to make the information on this site as accurate as possible, linuxexperten.com does not warrant its completeness, reliability and accuracy.

We are not responsible for any losses or damages associated with the use of our website. While we strive to provide only links to useful websites, we have no control over the content of these sites and links to other sites do not constitute a recommendation for all content contained on these websites.


Site Information

This is a professional review site that receives compensation from the companies whose products reviewed. Each service or product are thoroughly tested and given high marks if considered to be the very best. Independently owned and the opinions expressed here are no one elses.


Limited Time Offers

None at the moment.