The cybercriminals behind the sophisticated Android banking Trojan known as Xenomorph have expanded their operations to target customers of more than two dozen US banks. Initially focused on users in Europe, the threat actors have now set their sights on major financial institutions in the United States, including Chase, Amex, Ally, Citi Mobile, Citizens Bank, Bank of America, and Discover Mobile. Recent samples of the malware analyzed by researchers at ThreatFabric have revealed additional features targeting popular crypto wallets, such as Bitcoin, Binance, and Coinbase.
According to ThreatFabric, thousands of Android users in the United States and Spain have fallen victim to the Xenomorph malware since August. The threat actor appears to be particularly interested in users of Android devices from Samsung and Xiaomi, which together hold around 50% of the Android market share.
The emergence of malware like Xenomorph highlights the growing sophistication and threat posed by mobile attacks, especially for Android users. A study conducted by Zimperium earlier this year found that threat actors are more interested in targeting Android due to the higher number of vulnerabilities present in the Android environment. In addition, Android app developers tend to make more mistakes than their iOS counterparts, making Android devices a more lucrative target for cybercriminals.
While adware and potentially unwanted applications currently remain the top threat for Android users, banking Trojans like Xenomorph are increasingly putting these devices at risk. In the first quarter of 2023, the share of banking Trojans as a percentage of all other mobile threats increased to nearly 19%. Some notable banking Trojans include SpyNote.C, Hook, Malibot, and Triada, which have the capability to steal banking information from compromised devices.
ThreatFabric first reported on Xenomorph in February 2022 when it was discovered masquerading as legitimate apps and utilities on Google’s Play mobile app store. One of the apps, named “Fast Cleaner,” claimed to optimize battery life but was actually designed to steal credentials from customers of major European banks. Over 50,000 Android users had downloaded the app at that time.
The developers of Xenomorph were also linked to another powerful Android remote access Trojan called Alien. Both of these malware variants contained overlays that spoofed the account login pages of targeted banks. When users with compromised devices attempted to log into their accounts, the malware displayed a fake login page to capture their credentials and other account information. Xenomorph also intercepted and stole two-factor authentication tokens sent via SMS messages, allowing the threat actors to take over online accounts and steal funds.
In the latest campaign observed in August 2023, the threat actors behind Xenomorph changed their distribution mechanism. Instead of infiltrating Google Play, they now distribute the malware via phishing web pages that impersonate trusted websites like Chrome browser updates or the Google Play store.
One significant aspect of the latest version of Xenomorph is its Automatic Transfer System (ATS) framework, which enables automatic fund transfers from compromised devices to attacker-controlled ones. The ATS engine contains several modules that grant the malware the necessary permissions to operate undetected on compromised devices. It can disable settings, dismiss security alerts, halt device resets and uninstalls, and prevent certain privileges from being revoked. The malware’s new capabilities include the ability to write to storage and prevent a compromised device from entering “sleep” mode.
ThreatFabric warns that Xenomorph continues to pose a significant threat as an Android banking malware. Its versatile ATS engine, coupled with its ability to adapt to various manufacturers’ devices, makes it extremely dangerous. Users are advised to remain vigilant and take precautions to protect their Android devices from this growing threat.