THREAT ALERT

Malware: Xenomorph Android Banking Trojan

Thursday, September 28th, 2023

VIEW ALL THREAT ALERTS

Cyber security risk management solutions from DefenseStorm.

Xenomorph, an Android banking trojan, has resurfaced in a more advanced form. Originally discovered in early 2022, this malicious software was initially targeted at European banks using screen overlay phishing techniques and was distributed through Google Play. However, the latest iteration of Xenomorph has expanded its scope to include over 35 financial institutions in the United States and various cryptocurrency applications. 

Summary

Xenomorph, an Android banking trojan, has resurfaced in a more advanced form. Originally discovered in early 2022, this malicious software was initially targeted at European banks using screen overlay phishing techniques and was distributed through Google Play. However, the latest iteration of Xenomorph has expanded its scope to include over 35 financial institutions in the United States and various cryptocurrency applications. 

Xenomorph’s method involves using deceptive phishing pages to trick users into downloading a malicious APK while employing overlays to steal sensitive data. Notably, each version of Xenomorph contains approximately 100 custom overlays tailored to specific banks and cryptocurrency apps based on the intended victims’ demographics. 

Behavior Summary 

In its most recent campaign, the cybercriminals behind this malware have opted for phishing pages to deceive visitors into thinking they need to update their Chrome browser, resulting in the inadvertent download of the malicious APK. 

While the core tactic of using overlays to steal sensitive information remains consistent, Xenomorph has broadened its target range. In addition to its previous focus, it now also targets financial institutions in the United States and various cryptocurrency applications. 

ThreatFabric has revealed that each variant of Xenomorph includes an extensive array of around 100 overlays, each designed to target specific sets of banks and cryptocurrency applications based on the demographics of the intended victims. This alone highlights Xenomorph’s noteworthy adaptability.  

New features include the malware’s ability to write to storage and prevent a compromised device from entering “sleep” mode. 

ThreatFabric explained, “Xenomorph remains a highly potent Android banking malware with an exceptionally adaptable and robust ATS engine. It boasts several pre-built modules tailored to various manufacturers’ devices.” 

 

The Hacker News Xenomorph

 

DefenseStorm Recommendations 

DefenseStorm recommends informing your customer base about the importance of being vigilant when it comes to installing applications from any App store. 

Continuous research is being conducted for all newly discovered or recurring malware and ransomware. As always, DefenseStorm recommends the following practices to help secure your environment:  

  • Continued internal training for phishing campaigns 
  • Block threat indicators at their respective controls  
  • Keep all systems and software updated to the latest patched versions to best protect against all known security vulnerabilities 
  • Maintain a strong password policy 
  • Enable multi-factor authentication 
  • Regularly back up data, air gap, and password backup copies offline  
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location 
  • Use app hardening 
  • Restrict administrative access 

SOURCES:

Xenomorph Android malware now targets U.S. banks and crypto wallets. https://www[.]bleepingcomputer[.]com/news/security/xenomorph-android-malware-now-targets-us-banks-and-crypto-wallets/

Xenomorph Banking Trojan: A New Variant Targeting 35+ U.S. Financial Institutions https://thehackernews[.]com/2023/09/xenomorph-banking-trojan-new-variant[.]html

Diana Rodriguez

Cyber Threat Intelligence Engineer

Diana Rodriguez is a Cyber Threat Intelligence Engineer for DefenseStorm. She joined DefenseStorm in 2019 with 9.5 years of experience in cybersecurity and banking. Diana’s career began at Wells Fargo where she played a pivotal role in protecting financial institutions. Over the 5 years with Wells Fargo, she held diverse positions there, first starting as a teller, then transitioning to become a financial crime analyst, and eventually a cyber security analyst. This experience provided her with a comprehensive understanding of the intricacies of the banking industry and the critical importance of cybersecurity in protecting sensitive data. Diana holds a Bachelor’s degree in computer science from UNCC and a Master’s Degree in Cybersecurity from UNC at Chapel Hill. She completed the MITRE ATT&CK® Defender certifications which provided her with the expertise to effectively apply knowledge of adversary behaviors, enhancing security configurations, analytics, and decision-making to provide the utmost protection for DefenseStorm’s clients. Diana also holds the GIAC Certified Incident Handler and NSE1, and NSE2. During her tenure at DefenseStorm, she has become proficient in the platform, taking an active role in proactively detecting and responding to cyber threats. She’s played a vital role in developing new policies and advanced analytics to detect and prevent potential attacks effectively while educating and empowering customers to optimize the DefenseStorm services to fortify their security measures.