Monday, November 11, 2024
HomeAndroidNew Version of Xenomorph Android Malware Attacks 400 Banks Customers

New Version of Xenomorph Android Malware Attacks 400 Banks Customers

Published on

Malware protection

As per the latest findings of ThreatFabric, a version of the Android banking trojan with the name Xenomorph has been discovered in the wild as a new variant of the trojan.

Mobile banking has been gaining a lot of attention from criminals recently as many have abandoned rudimentary approaches in favor of a more refined and professional approach to the world of mobile banking.

This week, a new version of the Android malware called Xenomorph has been released, which contains a number of significant new features that can be used to conduct malicious attacks on Android devices in order to gain control of them.

- Advertisement - SIEM as a Service

Aside from this, it also has the ability to steal credentials for 400 banks, as well as the capability to automate the transfer of funds between banks.

Distribution of Android Malware

Consequently, users should be cautious when installing apps from the Google Play store as a result of the threats they face. Users should read the reviews and run background checks on the publishers before installing an app from Google Play.

ThreatFabric was also able to identify some samples related to test campaigns as a result of its detection capabilities. 

These samples appear to have been obtained using third-party hosting services, specifically Discord Content Delivery Network (CDN), which have been used to abuse the distribution of the samples.

GymDrop began distributing Xenomorph to its customers in February of 2022, and the first variants were distributed to them in the month of March. Later in the year, Hadoken decided to switch distribution mediums, trying the first BugDrop before settling on Zombinder.

New Targets of Xenomorph

In the past few years, Xenomorph has been using overlay attacks as a means of collecting PII, such as passwords and usernames, since its first appearance.

A MaaS campaign with Android Banking malware may have different targets, depending on the threat actor(s) managing it and the malware variant.

The Xenomorphs, which maintained a relatively stable configuration throughout the year 2022, specifically targeted Spain, Portugal, and Italy during their attack in 2022.

It is also worth mentioning that several cryptocurrency wallets have also been introduced with the most recent campaigns, along with Belgian and Canadian institutions as well.

Capabilities

A few of the new features that have been added to this attack make it different from the previous one in several ways. After the recent attack, the experts have concluded that the previous attack didn’t have a lot of features as compared to the recent attack, so the previous attack was lacking a lot of new features.

In this section, you will find a list of all the updated capabilities that the threat actors have introduced in the new attack they have launched.

  • app_start: Start Specified Application
  • show_push: Show Push notification
  • cookies_handler: Obtain Cookies
  • send_sms: Send SMS
  • make_ussd: Run USSD Code
  • call_forward: Forward Call
  • execute_rum: Run ATS Module

In order to exploit the move by banks to implement authenticator apps instead of SMS for two-factor authentication (2FA), the Xenomorph trojan incorporates an ATS module that allows it to launch the app and extract the authenticator codes from the app.

Cookie stealer capabilities have also been added to Xenomorph’s arsenal of weapons, which already boasts a wide range of capabilities. 

The best way to ensure that your phone is secure is to keep the number of apps running on it as low as possible and only install apps from trusted and known vendors.

Network Security Checklist – Download Free E-Book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...