Xenomorph Android Malware Targets U.S. Banks and Crypto Wallets: A new strain of the Xenomorph Android malware has emerged, with cyber attackers now focusing their efforts on U.S. financial institutions and cryptocurrency wallets.
Security researchers have identified this evolving threat, which poses significant risks to Android users in several countries, including the United States.
Key Takeaways on Xenomorph Android Malware Targets U.S. Banks and Crypto Wallets:
Table of Contents
- Xenomorph malware, previously a banking trojan, has resurfaced with a new campaign targeting U.S. banks and cryptocurrency apps.
- The malware employs phishing pages to deceive victims into downloading malicious APK files, expanding its focus to financial institutions in multiple countries.
- The latest version of Xenomorph includes new features like mimic capabilities, screen coordinate simulation, and an antisleep system, enhancing its stealth and persistence.
Unveiling the Xenomorph Malware
Xenomorph, a notorious Android malware strain, initially surfaced in early 2022 as a banking trojan that specifically targeted 56 European banks through screen overlay phishing. It found its way onto Google Play, accumulating over 50,000 installations.
Under the authorship of “Hadoken Security,” it underwent continuous development, culminating in a more modular and adaptable version released in June 2022. By then, Xenomorph had already earned its place among Zimperium’s top ten most prolific banking trojans, signifying its status as a significant threat.
Evolution of Xenomorph
In August 2022, a new distribution method emerged, utilizing a dropper called “BugDrop,” designed to bypass Android 13’s security features.
Subsequently, in December 2022, analysts discovered a fresh malware distribution platform named “Zombinder,” which discreetly embedded the threat within legitimate Android apps’ APK files.
The most recent version, unveiled in March 2023, introduced an automated transfer system (ATS) for autonomous on-device transactions, multi-factor authentication (MFA) circumvention, cookie theft, and expanded targeting to over 400 banks.
The Latest Xenomorph Campaign
In this latest campaign, the malware operators opted for phishing tactics, enticing users to update their Chrome browser, and ultimately leading them to download a malicious APK file.
Xenomorph continues to employ overlay techniques to steal sensitive information, but it has broadened its scope to include U.S. financial institutions and numerous cryptocurrency applications.
Each Xenomorph sample is now equipped with around a hundred overlays, tailored to target different sets of banks and crypto apps, depending on the demographics of the victims.
New Features in the Latest Version
While the recent Xenomorph samples may not differ significantly from their predecessors, they do introduce some noteworthy features, indicating ongoing refinement by their authors.
A new “mimic” function enables the malware to impersonate other applications. This feature includes an “IDLEActivity” that acts as a WebView, displaying legitimate web content, and eliminating the need to hide icons from the app launcher, a behavior often flagged as suspicious by security tools.
Another addition is “ClickOnPoint,” allowing Xenomorph operators to simulate screen taps at specific coordinates, facilitating actions like bypassing confirmation screens without invoking the full ATS module, which could trigger security warnings.
Lastly, an “antisleep” system has been introduced, preventing device screens from turning off by maintaining an active notification. This prolongs engagement and minimizes interruptions that require re-establishing command and control communications.
Additional Insights and Implications
Exploiting weak security measures, ThreatFabric analysts gained access to the malware operator’s payload hosting infrastructure.
There, they uncovered other malicious payloads, including Android malware variants like Medusa and Cabassous, Windows information stealers like RisePro and LummaC2, and the Private Loader malware loader.
Users are cautioned against responding to prompts for browser updates on their mobile devices, as these often serve as conduits for malware distribution.
The distribution of Xenomorph alongside potent Windows malware raises questions about collaboration among threat actors or the potential sale of the Android trojan as Malware-as-a-Service (MaaS).
Conclusion
The emergence of Xenomorph Android malware with a renewed focus on U.S. banks and cryptocurrency apps underscores the evolving nature of cyber threats. Android users, particularly those in the United States, must exercise caution and prioritize security measures to protect their devices and sensitive information.
As malware continues to advance, robust cybersecurity practices remain the first line of defense against these ever-present risks.
