A resurgence of the Xenomorph android banking trojan has been observed by security researchers, targeting Android users in several countries including the United States, Canada, Spain, Italy, Portugal, and Belgium. This new campaign, distributing an updated variant of the trojan, signifies a concerning evolution in cyber threats to the banking sector.
Technical Overview of Xenomorph
Xenomorph, first identified in February 2022, is known for its sophisticated methods in capturing personally identifiable information (PII). It employs overlays to acquire usernames and passwords and has a robust automated transfer system (ATS) engine for autonomous on-device transactions. The malware’s capabilities extend to MFA bypass, cookie stealing, and targeting over 400 banks, showcasing its adaptability and reach.
In its latest campaign, Xenomorph operators have opted for phishing pages, tricking users into downloading malicious APKs under the guise of Chrome browser updates. The malware has expanded geographically, with a significant number of downloads in Spain and the United States. This trend reflects a broader move among malware families to target new markets.
New capabilities of Xenomorph include:
- An anti-sleep feature to maintain engagement and uninterrupted command and control communication.
- A “mimic” mode allowing the malware to disguise itself as another application, reducing detection risk.
- A “ClickOnPoint” feature enabling simulated taps at specific screen coordinates.
ThreatFabric analysts have accessed the infrastructure hosting Xenomorph payloads, uncovering various malicious payloads including Android malware variants (Medusa and Cabassous), Windows information stealers (RisePro and LummaC2), and the Private Loader malware loader.
Recommendations for Users
- Be Cautious with Mobile Browser Updates: Users should be wary of prompts to update mobile browsers, which could be part of malware distribution campaigns.
- Install Apps from Trusted Sources: Only download apps from the Google Play Store or other reputable app stores. Avoid third-party sources.
- Regularly Update Your Device: Keep your Android operating system and apps updated to patch known vulnerabilities.
- Use Mobile Security Software: Install a reliable mobile security app with antivirus and anti-malware capabilities.
- Review App Permissions: Be mindful of the permissions requested by apps and avoid those seeking excessive access.
- Enable Google Play Protect: This feature scans installed apps for threats and regularly checks for malware.
- Secure Personal Information: Do not share sensitive information through unsecure channels or unfamiliar apps.
- Enable Two-Factor Authentication (2FA): Use 2FA for mobile banking and other sensitive accounts for added security.
- Stay Informed: Keep updated on the latest threats and trends related to Android banking trojans.
- Monitor Bank Statements: Regularly check your bank statements for unauthorized transactions.
- Secure Your Device: Use a strong unlock code or pattern, enable device encryption, and utilize biometric authentication if available.
Conclusion
The resurgence of the Xenomorph banking trojan, particularly its distribution alongside desktop information stealers, raises concerns about potential collaborations between cybercriminal groups or the emergence of Malware-as-a-Service (MaaS) models. This development highlights the ongoing efforts of cybercriminals to maximize profits through sophisticated malware campaigns.
In an era where cyber threats are becoming increasingly sophisticated, staying vigilant and adopting multi-layered security practices is imperative for users, especially those engaging in mobile banking. Awareness and proactive measures are crucial in protecting against evolving threats like the Xenomorph banking trojan.