New Android banking malware has been discovered on the official Google Play Store to target 56 European banks and steal sensitive information from affected devices. It has been installed more than 50,000 times. The in-development software, nicknamed Xenomorph by Dutch security firm ThreatFabric, is believed to share similarities with another banking trojan known as Alien while being “radically different” in terms of the functionality given.
“Despite being a work-in-progress, Xenomorph is already sporting effective overlays and being actively distributed on official app stores,” as stated by Han Sahin, the founder & CEO of ThreatFabric. “In addition, it features a very detailed and modular engine to abuse accessibility services, which in the future could power very advanced capabilities, like ATS.”
Alien, a remote access trojan (RAT) with notification sniffing and authenticator-based two-factor authentication stealing characteristics, appeared shortly after the iconic Cerberus malware died in August 2020. Other Cerberus forks have since been discovered in the wild, including ERMAC in September 2021.
Like ERMAC and Alien, Xenomorph is an Android banking trojan that tries to get over Google Play Store’s security measures by posing as productivity apps like “Fast Cleaner” and tricking naïve users into installing the malware. It’s important to note that a fitness training dropper program called GymDrop was discovered in November. It distributed the Alien banking trojan payload by disguising it as a “new package of workout exercises.”
According to data from mobile app market intelligence firm Sensor Tower, Fast Cleaner, which has the package name “vizeeva.fast.cleaner” and is still available on the app store, has been most popular in Portugal and Spain, with the app first appearing in the Play Store towards the January 2022 end. Xenomorph also employs the tried-and-true tactic of requesting Accessibility Service privileges from victims and then abusing the permissions to conduct overlay attacks. The malware then injects nefarious overlay screens atop targeted apps from Spain, Italy, Portugal, and Belgium to steal credentials and other personal information.
It also has a notification interception capability that extracts two-factor authentication tokens sent through SMS and retrieves the list of installed apps, which is subsequently sent to a remote command-and-control server.