Xenomorph Banking Trojan Garnered 50K Downloads On Play Store

A new banking malware targeted thousands of Android users after appearing on the Google Play Store as an Android app. Identified as “Xenomorph,” this banking trojan resembles Alien malware but exhibits different functionalities.

Xenomorph Android Banking Trojan Active In The Wild

Researchers from ThreatFabric have shared insights about the new Xenomorph banking trojan in a recent post.

Specifically, the malware appeared on the Google Play Store, impersonating a phone booster app. This app, named “Fast Cleaner,” attracted 50,000 downloads and seemed to work on the claimed functionalities.

Source: ThreatFabric

However, analyzing the app made the researchers find its link with the Gymdrop dropper family that previously deployed Alien malware. But in the recent campaigns (that included the ‘Fast Cleaner’ app), the threat actors deployed a new malware, “Xenomorph.”

Briefly, Xenomorph is also an Android banking trojan closely related to the Alien malware regarding class names and strings. However, it exhibits somewhat different and advanced malicious functionalities, making it a potent malware. Though, it currently seems under development, with the potential to evolve in the future.

Some of the existing Xenomorph capabilities include screen overlays to steal login credentials and PII data and gain Accessibility Service privileges. The malware code also hints at some other functionalities which presently remain dormant.

For C&C communication, the threat actors abuse the legit open-source tool Retrofit2. Nonetheless, the latter is an entirely legit tool. So, the researchers have explicitly mentioned the tool’s misuse beyond Retrofit2 developers’ control.

ThreatFabric wants to explicitly mention that RetroFit is a legitimate and legal product. The developers that created this project have no control over the misuse of their software.

Stay Wary Of Unknown Android Apps

The malicious app has appeared on the Google Play Store lately. However, while it no longer exists there, it doesn’t mean that the threat is over. Hence, apart from uninstalling the malicious app from their devices, users should avoid trying any new apps from unknown or unverified developers.

As for Xenomorph, the researchers explained that it has tremendous potential to enhance its maliciousness in the future.

Xenomorph currently is an average Android Banking Trojan, with a lot of untapped potential, which could be released very soon…
The current version of Xenomorph is capable of abusing Accessibility Services to steal PII from unaware victims, prevent uninstallation and intercept SMS and notifications. ThreatFabric predicts that with some more time to finish development, this malware could reach higher threat levels, comparable to other modern Android Banking trojans.

Do share with us your thoughts in the comments.

Related posts

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin

Astaroth Banking Malware Runs Actively Targets Users In Brazil