Xenomorph Android Malware

A potent Android banking Trojan has managed to infiltrate the Google Play Store and infect over 50, 000 devices, despite still being under development. The threat is tracked as the Xenomorph Android Malware by the experts at ThreatFabric, who have analyzed its underlying code and functionalities. According to their findings, Xenomorph's main goal is to collect sensitive banking information from its victims and despite not being entirely completed, it is already capable of targeting 56 banks from countries across Europe.

It should be noted that the threat shares certain code similarities with another banking Trojan named Alien. This fact could mean that Xenomorph is a continuation of the previous Alien threat or that a developer has worked on both.

Distribution and Functionality

To bypass the protections of the official Google Play Store, the cybercriminals behind Xenomorph used a dedicated dropper application that is being classified as part of the 'Gymdrop' dropper family, which was first discovered back in November 2021. The application was named 'Fast Cleaner' and tried to attract users with promises of boosting the performance of their Android devices. The application itself doesn't contain any threatening payloads - it fetches the Xenomorph Trojan only after being installed on the victim's device.

Once inside, the malware requests to receive Accessibility Service permissions, which it then promptly abuses to get even more permissions on the device. Ultimately, the threat will be able to intercept notifications, SMS messages and perform overlay attacks. In short, the threat can obtain credentials and one-time passwords allowing it to compromise the victim's banking and financial accounts.

Cybersecurity experts expect that Xenomorph will continue to evolve. Indeed, the modular approach adopted by its developers allows them to easily add more invasive features. Even now the threat has several commands referring to keylogging routines and additional data collection capabilities that have not been fully implemented.