A new variant of the Android banking Trojan called Xenomorph has emerged, according to the latest findings from ThreatFabric.
namedXenomorph 3rd generationThe latest version by the Hadoken Security Group, the threat actor behind the operation, includes new features that allow seamless execution of financial fraud.
“This new version of the malware adds a number of new features to the already feature-rich Android bunker. It’s a very broad run-time engine deployment,” the security firm said in a report shared with Hacker News.
Xenomorph was first revealed a year ago in February 2022 and was found targeting 56 European banks through a dropper app published on the Google Play store.
In contrast, the latest iteration of Banker (which has a dedicated website promoting its features) is designed to target over 400 banks and financial institutions, including several cryptocurrency wallets.
ThreatFabric said it detected samples distributed via Discord’s Content Delivery Network (CDN). This technique has proliferated since 2020. Here are two of his apps laced with Xenomorph.
- Play Protect (com.great.calm)
- Play Protect (meritoriousness.mollah.presser)
“Xenomorph v3 is deployed by Zombinder apps ‘bound’ to legitimate currency converters that download applications masquerading as Google Protect as ‘updates,'” ThreatFabric explains.
Zombinder refers to an APK binding service advertised on the dark web since March 2022, where malware is delivered via trojanized versions of legitimate apps. The offer has since been discontinued.
The latest campaign targets financial institutions in Belgium and Canada, as well as in Europe (Spain, Italy, Portugal, etc.).
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
Similar to banking malware, Xenomorph is known to abuse accessibility services to carry out fraudulent overlay attacks. It also has the ability to automatically complete fraudulent transactions on infected devices, a technique called Automated Transfer System (ATS).
As banks move from SMS to authenticator apps for two-factor authentication (2FA), the Xenomorph Trojan incorporates an ATS module that allows it to launch apps and extract authentication codes.
Android malware also has the ability to steal cookies, allowing attackers to carry out account takeover attacks.
“These new features allow Xenomorph to fully automate the entire fraud chain, from infection to withdrawal of funds, making it one of the most advanced and dangerous Android malware Trojans in circulation.” said the company.
