Last Updated on 21/02/2022 by Nidhi Khandelwal
A new Android banking trojan has been discovered on the official Google Play Store, with over 50,000 installations, with the intention of targeting 56 European banks and stealing sensitive information from affected devices.
The in-development software, dubbed Xenomorph by Dutch security firm ThreatFabric, is believed to share similarities with another banking trojan known as Alien while yet being “radically different” in terms of the functionality given.
Alien, a remote access trojan (RAT) with notification sniffing and authenticator-based 2FA stealing features, first appeared in August 2020, just after the iconic Cerberus virus died. Other Cerberus forks have since been discovered in the wild, including ERMAC in September 2021.
Xenomorph, like Alien and ERMAC, is an Android banking trojan that tries to get over Google Play Store’s security measures by posing as productivity apps like “Fast Cleaner” and tricking unwitting victims into installing the malware.
It’s worth remembering that in November, a fitness training dropper programme called GymDrop was discovered distributing the Alien banking trojan payload by disguising it as a “new package of workout routines.”
Xenomorph also employs the tried-and-true tactic of requesting Accessibility Service privileges from victims and then abusing the permissions to conduct overlay attacks, in which the malware injects rogue overlay screens atop targeted apps from Spain, Portugal, Italy, and Belgium in order to steal credentials and other personal information.
It also has a notification interception capability that extracts two-factor authentication tokens sent through SMS and retrieves the list of installed apps, which is subsequently sent to a remote command-and-control server.