A brand new banking malware focused 1000’s of Android customers after showing on the Google Play Retailer as an Android app. Recognized as “Xenomorph,” this banking trojan resembles Alien malware however reveals completely different functionalities.
Xenomorph Android Banking Trojan Energetic In The Wild
Researchers from ThreatFabric have shared insights concerning the new Xenomorph banking trojan in a current submit.
Particularly, the malware appeared on the Google Play Retailer, impersonating a cellphone booster app. This app, named “Quick Cleaner,” attracted 50,000 downloads and appeared to work on the claimed functionalities.
Nonetheless, analyzing the app made the researchers discover its hyperlink with the Gymdrop dropper household that beforehand deployed Alien malware. However within the current campaigns (that included the ‘Quick Cleaner’ app), the risk actors deployed a brand new malware, “Xenomorph.”
Briefly, Xenomorph can be an Android banking trojan intently associated to the Alien malware concerning class names and strings. Nonetheless, it reveals considerably completely different and superior malicious functionalities, making it a potent malware. Although, it presently appears below improvement, with the potential to evolve sooner or later.
A few of the current Xenomorph capabilities embrace display overlays to steal login credentials and PII knowledge and acquire Accessibility Service privileges. The malware code additionally hints at another functionalities which presently stay dormant.
For C&C communication, the risk actors abuse the legit open-source software Retrofit2. Nonetheless, the latter is a wholly legit software. So, the researchers have explicitly talked about the software’s misuse past Retrofit2 builders’ management.
ThreatFabric desires to explicitly point out that RetroFit is a authentic and authorized product. The builders that created this undertaking don’t have any management over the misuse of their software program.
Keep Cautious Of Unknown Android Apps
The malicious app has appeared on the Google Play Retailer recently. Nonetheless, whereas it no extra exists there, it doesn’t imply that the risk is over. Therefore, aside from uninstalling the malicious app from their units, customers ought to keep away from attempting any new apps from unknown or unverified builders.
As for Xenomorph, the researchers defined that it has great potential to boost its maliciousness sooner or later.
Xenomorph presently is a mean Android Banking Trojan, with a whole lot of untapped potential, which might be launched very quickly…
The present model of Xenomorph is able to abusing Accessibility Providers to steal PII from unaware victims, stop uninstallation and intercept SMS and notifications. ThreatFabric predicts that with some extra time to complete improvement, this malware may attain larger risk ranges, corresponding to different trendy Android Banking trojans.
Do share with us your ideas within the feedback.