THREAT ALERT
Thursday, September 28th, 2023
Xenomorph, an Android banking trojan, has resurfaced in a more advanced form. Originally discovered in early 2022, this malicious software was initially targeted at European banks using screen overlay phishing techniques and was distributed through Google Play. However, the latest iteration of Xenomorph has expanded its scope to include over 35 financial institutions in the United States and various cryptocurrency applications.
Summary
Xenomorph, an Android banking trojan, has resurfaced in a more advanced form. Originally discovered in early 2022, this malicious software was initially targeted at European banks using screen overlay phishing techniques and was distributed through Google Play. However, the latest iteration of Xenomorph has expanded its scope to include over 35 financial institutions in the United States and various cryptocurrency applications.
Xenomorph’s method involves using deceptive phishing pages to trick users into downloading a malicious APK while employing overlays to steal sensitive data. Notably, each version of Xenomorph contains approximately 100 custom overlays tailored to specific banks and cryptocurrency apps based on the intended victims’ demographics.
Behavior Summary
In its most recent campaign, the cybercriminals behind this malware have opted for phishing pages to deceive visitors into thinking they need to update their Chrome browser, resulting in the inadvertent download of the malicious APK.
While the core tactic of using overlays to steal sensitive information remains consistent, Xenomorph has broadened its target range. In addition to its previous focus, it now also targets financial institutions in the United States and various cryptocurrency applications.
ThreatFabric has revealed that each variant of Xenomorph includes an extensive array of around 100 overlays, each designed to target specific sets of banks and cryptocurrency applications based on the demographics of the intended victims. This alone highlights Xenomorph’s noteworthy adaptability.
New features include the malware’s ability to write to storage and prevent a compromised device from entering “sleep” mode.
ThreatFabric explained, “Xenomorph remains a highly potent Android banking malware with an exceptionally adaptable and robust ATS engine. It boasts several pre-built modules tailored to various manufacturers’ devices.”
DefenseStorm Recommendations
DefenseStorm recommends informing your customer base about the importance of being vigilant when it comes to installing applications from any App store.
Continuous research is being conducted for all newly discovered or recurring malware and ransomware. As always, DefenseStorm recommends the following practices to help secure your environment:
Xenomorph Android malware now targets U.S. banks and crypto wallets. https://www[.]bleepingcomputer[.]com/news/security/xenomorph-android-malware-now-targets-us-banks-and-crypto-wallets/
Xenomorph Banking Trojan: A New Variant Targeting 35+ U.S. Financial Institutions https://thehackernews[.]com/2023/09/xenomorph-banking-trojan-new-variant[.]html