Upgraded Xenomorph Android Banking Trojan Resurfaces with Greater Potency
A recently released version of the Xenomorph Android malware has expanded its nefarious capabilities by introducing a sophisticated Automated Transfer System (ATS) framework, along with capable of stealing login credentials of 400+ financial institutions.
The latest version of the Android banking trojan, known as “Xenomorph 3rd generation” by the Hadoken Security Group, has been found to possess advanced features that allow malicious actors to conduct financial fraud with a high degree of ease and efficiency.
Originally targeting 56 European banks, the first version of the malware used overlay attacks through injection techniques and exploited accessibility services permissions to intercept notifications and steal one-time codes.
According to a report by the Dutch security firm, the latest version of the malware incorporates a multitude of additional features to an already multifaceted Android banking malware. The most noteworthy of these is a comprehensive runtime engine, bolstered by accessibility services, that enables malicious actors to seamlessly integrate a complete Automated Transfer System (ATS) framework.
The current version of Xenomorph, known as Xenomorph v3, is being spread through the ‘Zombinder’ platform, disguised as a currency converter app on the Google Play Store. Once the malware is installed, it hides itself by showing a Play Protect icon.
As explained by ThreatFabric, Xenomorph v3 is propagated through a Zombinder app that is paired with a bona fide currency converter application. The malware is then downloaded as an ‘update’, disguised as Google Protect.
The most recent version of Xenomorph is primarily aimed at 400 financial institutions across several countries including the United States, Turkey, Spain, Australia, Poland, Italy, Canada, France, Portugal, UAE, Germany, and India.
As banks are gradually shifting from SMS-based two-factor authentication (2FA) to authenticator apps, the Xenomorph trojan has incorporated an ATS module that permits it to launch the app and obtain the authenticator codes, thereby circumventing this security measure.
The Android malware also boasts of cookie-stealing functionalities, which allow threat actors to execute account takeover attacks.
Leave a Comment
Cancel