Xenomorph Android Malware Targets Customers of 30 US Banks

The cybercriminals behind a sophisticated Android banking Trojan called Xenomorph, who have been actively targeting users in Europe for more than a year, recently set their sights on customers of more than two dozen US banks.

Among those in the threat actor's crosshairs are customers of major financial institutions such as Chase, Amex, Ally, Citi Mobile, Citizens Bank, Bank of America, and Discover Mobile. New samples of the malware analyzed by researchers at ThreatFabric showed that it also contains additional features targeting multiple crypto wallets including Bitcoin, Binance, and Coinbase.

Thousands of Android Users Affected

In a report this week, the Netherlands-based cybersecurity vendor said thousands of Android users in the United States and Spain since just August have downloaded the malware on their systems.

"Xenomorph, after months of hiatus, is back, and this time with distribution campaigns targeting some regions that have been historically of interest for this family, like Spain or Canada, and adding a large list of targets from the United States," ThreatFabric said. Users of Android devices from Samsung and Xiaomi — which together hold around 50% of Android market share — appear to be targets of specific interest for the threat actor.

Malware like Xenomorph highlight the growing and increasingly sophisticated nature of mobile threats, especially for Android users. A study released by Zimperium earlier this year showed that threat actors are significantly more interested in Android than iOS because of the higher number of vulnerabilities that are present in the Android environment. Zimperium found that Android app developers also tend to make more mistakes when developing apps than iOS developers do.

For the moment, adware and other potentially unwanted applications remain the top threat for Android users. But banking Trojans such as Xenomorph increasingly imperil these devices. In the first quarter of 2023 the share of banking Trojans as a percentage of all other mobile threats increased to nearly 19% compared to 18% the previous quarter. The more notable among them included remote access Trojans with capabilities for stealing banking information such as SpyNote.C, Hook, Malibot, and Triada.

Alien to Xenomorph

ThreatFabric was first reported on Xenomorph in February 2022 after spotting the banking Trojan masquerading as legitimate apps and utilities on Google's Play mobile app store. One of them was "Fast Cleaner" an app that purported to remove clutter and optimize battery life, but also sought to steal credentials to accounts belonging to customers of some 56 major European banks. More than 50,000 Android users downloaded the app on their Android devices.

At that time the malware was still under active development. Its many features included those for harvesting device information, intercepting SMS messages, and enabling online account takeovers. The company assessed that the developers of Xenomorph were likely the same — or had some connection to — as the ones behind another power Android remote access Trojan called Alien.

Like other banking malware, Xenomorph contained overlays that spoofs the account login pages of all the targeted banks, the researchers found in their 2022 analysis. So when an Android user with a compromised device attempted to log into an account with any of the banks on the target list, the malware automatically displayed a spoofed version of that bank's login page for capturing usernames, passwords, and other account information. Xenomorph also supported features for intercepting and stealing two-factor authentication tokens sent via SMS messages, giving the attackers a way to take over online accounts and steal funds from them.

Enter the new campaign in August 2023: in this latest round, the threat actors appear to have switched their primary malware distribution mechanism. Instead of smuggling Xenomorph into Google Play, the operators of the malware are now distributing it via phishing Web pages. In many cases, these pages have purported to be trusted Chrome browser update sites and or Google Play store websites.

One notable aspect about the most recent version of Xenomorph is its sophisticated and flexible Automatic Transfer System (ATS) framework for automatically transferring funds from a compromised device to an attacker controlled one. Xenomorph's ATS engine contains multiple modules that allow the threat actor to take control of a compromised device and execute a variety of malicious actions.

These include modules that allow the malware to grant itself all the permissions it needs to run unhindered on a compromised device. Other features allow the malware to disable settings, dismiss security alerts, stop device resets and device uninstalls, and prevent certain privileges from being revoked. Many of these are functions that were present in initial versions as well.

What is new are capabilities that allow the malware to write to storage and to prevent a compromised device from slipping into "sleep" mode.

"Xenomorph maintains its status as an extremely dangerous Android banking malware, featuring a very versatile and powerful ATS engine, with multiple modules already created, with the idea of supporting multiple manufacturer's devices," ThreatFabric said.