The cybercriminals behind a classy Android banking Trojan known as Xenomorph, who’ve been actively focusing on customers in Europe for greater than a yr, not too long ago set their sights on clients of greater than two dozen US banks.
Amongst these within the risk actor’s crosshairs are clients of main monetary establishments similar to Chase, Amex, Ally, Citi Cellular, Residents Financial institution, Financial institution of America, and Uncover Cellular. New samples of the malware analyzed by researchers at ThreatFabric confirmed that it additionally incorporates extra options focusing on a number of crypto wallets together with Bitcoin, Binance, and Coinbase.
1000’s of Android Customers Affected
In a report this week, the Netherlands-based cybersecurity vendor stated 1000’s of Android customers in the USA and Spain since simply August have downloaded the malware on their programs.
“Xenomorph, after months of hiatus, is again, and this time with distribution campaigns focusing on some areas which have been traditionally of curiosity for this household, like Spain or Canada, and including a big checklist of targets from the USA,” ThreatFabric stated. Customers of Android units from Samsung and Xiaomi — which collectively maintain round 50% of Android market share — look like targets of particular curiosity for the risk actor.
Malware like Xenomorph spotlight the rising and more and more refined nature of cellular threats, particularly for Android customers. A research launched by Zimperium earlier this yr confirmed that risk actors are considerably extra desirous about Android than iOS due to the upper variety of vulnerabilities which can be current within the Android setting. Zimperium discovered that Android app builders additionally are inclined to make extra errors when growing apps than iOS builders do.
For the second, adware and different probably undesirable functions stay the highest risk for Android customers. However banking Trojans similar to Xenomorph more and more imperil these units. Within the first quarter of 2023 the share of banking Trojans as a share of all different cellular threats elevated to just about 19% in comparison with 18% the earlier quarter. The extra notable amongst them included distant entry Trojans with capabilities for stealing banking data similar to SpyNote.C, Hook, Malibot, and Triada.
Alien to Xenomorph
ThreatFabric was first reported on Xenomorph in February 2022 after recognizing the banking Trojan masquerading as reliable apps and utilities on Google’s Play cellular app retailer. One in every of them was “Quick Cleaner” an app that presupposed to take away muddle and optimize battery life, but in addition sought to steal credentials to accounts belonging to clients of some 56 main European banks. Greater than 50,000 Android customers downloaded the app on their Android units.
At the moment the malware was nonetheless beneath energetic improvement. Its many options included these for harvesting gadget data, intercepting SMS messages, and enabling on-line account takeovers. The corporate assessed that the builders of Xenomorph have been possible the identical — or had some connection to — as those behind one other energy Android distant entry Trojan known as Alien.
Like different banking malware, Xenomorph contained overlays that spoofs the account login pages of all of the focused banks, the researchers discovered of their 2022 evaluation. So when an Android consumer with a compromised gadget tried to log into an account with any of the banks on the goal checklist, the malware routinely displayed a spoofed model of that financial institution’s login web page for capturing usernames, passwords, and different account data. Xenomorph additionally supported options for intercepting and stealing two-factor authentication tokens despatched by way of SMS messages, giving the attackers a option to take over on-line accounts and steal funds from them.
Enter the brand new marketing campaign in August 2023: on this newest spherical, the risk actors seem to have switched their main malware distribution mechanism. As an alternative of smuggling Xenomorph into Google Play, the operators of the malware at the moment are distributing it by way of phishing Net pages. In lots of circumstances, these pages have presupposed to be trusted Chrome browser replace websites and or Google Play retailer web sites.
One notable facet about the newest model of Xenomorph is its refined and versatile Computerized Switch System (ATS) framework for routinely transferring funds from a compromised gadget to an attacker managed one. Xenomorph’s ATS engine incorporates a number of modules that enable the risk actor to take management of a compromised gadget and execute a wide range of malicious actions.
These embody modules that enable the malware to grant itself all of the permissions it must run unhindered on a compromised gadget. Different options enable the malware to disable settings, dismiss safety alerts, cease gadget resets and gadget uninstalls, and stop sure privileges from being revoked. Many of those are features that have been current in preliminary variations as properly.
What’s new are capabilities that enable the malware to jot down to storage and to stop a compromised gadget from slipping into “sleep” mode.
“Xenomorph maintains its standing as an especially harmful Android banking malware, that includes a really versatile and highly effective ATS engine, with a number of modules already created, with the thought of supporting a number of producer’s units,” ThreatFabric stated.
