Earlier this month, safety researchers at ThreatFabric found a harmful new trojan. They dubbed it Xenomorph on account of its ties with the Alien malware, which began to make the rounds in fall of 2020. However whereas the code resembles that of Alien, the Xenomorph malware is way extra succesful. In response to ThreatFabric, greater than 50,000 Android customers have put in a malicious software containing the banking app malware. The risk actors behind the malware are reportedly concentrating on customers of 56 totally different banks in Europe.
Xenomorph banking app malware found
As ThreatFabric notes, hackers are all the time discovering new methods to distribute malicious software program by the Google Play retailer. Google is combating again, however decided hackers all the time appear to be one step forward. One latest, nefarious instance was the Quick Cleaner app. It claimed to be able to dashing up Android telephones by eradicating muddle. However in actuality, Quick Cleaner was a dropper for the Xenomorph banking app malware.
Right here’s what ThreatFabric discovered after analyzing the appliance:
Upon evaluation, we acknowledged this software as belonging to the Gymdrop dropper household. Gymdrop is a dropper household found by ThreatFabric in November 2021. Beforehand it was noticed deploying a Alien.A payload. From the configuration downloaded by the dropper, ThreatFabric was capable of affirm that this dropper household continues to undertake this malware household as its payload. Nevertheless, opposite to the previous, the server internet hosting the malicious code additionally contained two different malware households, which had been additionally returned as a substitute of Alien, primarily based on particular triggers.
Along with distributing the Alien and Exobot trojans, the app additionally contained a model new malware household. And that’s how ThreatFabric first found Xenomorph.
What can Xenomorph do?
ThreatFabric says Xenomorph remains to be underneath improvement, however is already able to wreaking havoc. The malware’s major purpose is to make use of an overlay assault to steal credentials for banking apps. It might additionally intercept texts and notifications to log and use 2FA tokens. ThreatFabric additionally notes that Xenomorph is designed to be “scalable and updatable.”
“The knowledge saved by the logging functionality of this malware may be very intensive,” safety researchers from ThreatFabric warn of their article, “and if despatched again to the C2 server, might be used to implement keylogging, in addition to amassing behavioural knowledge on victims and on put in purposes, even when they aren’t a part of the listing of targets.”
As with most different banking app malware, Xenomorph is dependent upon customers giving it entry to their units. As soon as it infects a tool, the malware will ask for Accessibility Service privileges. If it positive factors these privileges, it could possibly “log every part that occurs on the gadget.”
To date, the malware has focused customers in Spain, Portugal, Italy, and Belgium. Though it’s nonetheless in early phases of improvement, researchers say it has loads of untapped potential. At present, “Xenomorph is able to abusing Accessibility Providers to steal [personal identifiable information] from unaware victims, stop uninstallation and intercept SMS and notifications.” Sooner or later, it may grow to be much more harmful.