A new Android banking malware with over 50,000 installations has been discovered and disseminated via the official Google Play Store, with the purpose of targeting 56 European banks and stealing sensitive information from affected devices. The in-development malware, dubbed Xenomorph by Dutch security firm ThreatFabric, is reported to share similarities with another banking trojan known as Alien while yet being "radically different" in terms of functionality given.
Alien, a remote access trojan (RAT) with notification sniffing and authenticator-based 2FA stealing features, emerged shortly after the iconic Cerberus malware was decommissioned in August 2020. Other Cerberus forks have been detected in the wild since then, including ERMAC in September 2021. Xenomorph, like Alien and ERMAC, is another Android banking trojan that tries to avoid Google Play Store security by posing as productivity apps like "Fast Cleaner" to deceive unsuspecting victims into installing the malware.
Fast Cleaner, which has the package name "vizeeva.fast.cleaner" and is still available on the app store, has been most popular in Portugal and Spain, according to Sensor Tower data, with the app making its initial appearance in the Play Store at the end of January 2022.
This Android Banking malware is still under development and mostly offers the bare minimum of capabilities expected of a modern Android banking trojan. It’s primary attack vector is the use of an overlay attack to steal credentials, along with SMS and Notification interception to log and use potential 2FA tokens. The Accessibility engine that powers this malware, as well as the infrastructure and C2 protocol, have been meticulously developed to be scalable and updatable.
"Despite being a work-in-progress, Xenomorph is already sporting effective overlays and being actively distributed on official app stores," ThreatFabric's founder and CEO, Han Sahin, said. "In addition, it features a very detailed and modular engine to abuse accessibility services, which in the future could power very advanced capabilities, like ATS."
The data recorded by this malware's logging capability is vast, and if sent back to the C2 server, it may be used to execute keylogging as well as collect behavioural data on victims and on installed applications, even if they are not on the list of targets.
In the first stage, the malware sends back a list of installed packages on the device, and then it downloads the necessary overlays to inject based on which targeted application is present on the device. Xenomorph supplied a list of overlay targets that included targets from Spain, Portugal, Italy, and Belgium, as well as some general-purpose applications such as emailing services and cryptocurrency wallets.
