Xenomorph Android malware now steals data from 400 banks

ThreatFabric is reporting on a new fully automated Android banking Trojan referred to as “Xenomorph 3rd Generation.” By its maker, the Hadoken Security Group. The first version of this malware was spotted by ThreatFabric in February of 2022, where it had over 50,000 downloads. The malware was targeting 56 European banks dropper apps published on the Google Play Store. That first version used injection for overlay attacks and abused accessibility services permissions to intercept and steal one time codes.

The second generation of this Trojan was released in June of 2022 and was notable for having a complete code overhaul but was only released in low volume short bursts, apparently for testing purposes. Researchers say that this third version is the most flexible yet, fully automating the process of data theft, including credentials, account balances, perform banking transactions, and finalize fund transfers.

This third version is being offered on a dedicated website and targets more than 400 banking and financial institutions, including several crypto wallets and includes financial institutions from all continents.

“This new version of the malware adds many new capabilities …, most notably the introduction of a very extensive runtime engine powered by Accessibility services, which is used by actors to implement a complete ATS framework. …, Xenomorph is now able to completely automate the whole fraud chain, from infection to funds exfiltration, making it one of the most advanced and dangerous Android Malware trojans in circulation.”

Ted Miracco, CEO, Approov had this comment:

   “The fact that this malware has gone through several iterations since its initial detection in February 2022, with each version becoming more advanced and sophisticated, demonstrates the ongoing efforts of cybercriminals to stay ahead of security measures.

   “This includes using multi-factor authentication wherever possible, and correctly. For example SMS based 2FA on the same mobile device that is using the compromised mobile app to access sensitive data will be completely vulnerable against attacks using this Xenomorph trojan attack. The second factor needs to be on a non-compromised platform, for example another device or a hardware based authentication key to be effective. As technology continues to advance, so too will the sophistication of cyber threats, making it essential for all of us to remain vigilant and proactive in protecting ourselves and our data.”

Seeing as this malware has gone through three revisions illustrates the fact that the makers of this malware are here to stay. Which means that the average consumer as well as those who hunt for this sort of thing have to work twice as hard to make sure that nobody gets taken advantage of by the people behind threats like this.

Leave a Reply

%d bloggers like this: