Cyber Security News

New Version of Xenomorph Android Malware Attacks 400 Banks Customers

As per the latest findings of ThreatFabric, a version of the Android banking trojan with the name Xenomorph has been discovered in the wild as a new variant of the trojan.

Mobile banking has been gaining a lot of attention from criminals recently as many have abandoned rudimentary approaches in favor of a more refined and professional approach to the world of mobile banking.

This week, a new version of the Android malware called Xenomorph has been released, which contains a number of significant new features that can be used to conduct malicious attacks on Android devices in order to gain control of them.

Aside from this, it also has the ability to steal credentials for 400 banks, as well as the capability to automate the transfer of funds between banks.

Distribution of Android Malware

Consequently, users should be cautious when installing apps from the Google Play store as a result of the threats they face. Users should read the reviews and run background checks on the publishers before installing an app from Google Play.

ThreatFabric was also able to identify some samples related to test campaigns as a result of its detection capabilities. 

These samples appear to have been obtained using third-party hosting services, specifically Discord Content Delivery Network (CDN), which have been used to abuse the distribution of the samples.

GymDrop began distributing Xenomorph to its customers in February of 2022, and the first variants were distributed to them in the month of March. Later in the year, Hadoken decided to switch distribution mediums, trying the first BugDrop before settling on Zombinder.

New Targets of Xenomorph

In the past few years, Xenomorph has been using overlay attacks as a means of collecting PII, such as passwords and usernames, since its first appearance.

A MaaS campaign with Android Banking malware may have different targets, depending on the threat actor(s) managing it and the malware variant.

The Xenomorphs, which maintained a relatively stable configuration throughout the year 2022, specifically targeted Spain, Portugal, and Italy during their attack in 2022.

It is also worth mentioning that several cryptocurrency wallets have also been introduced with the most recent campaigns, along with Belgian and Canadian institutions as well.


A few of the new features that have been added to this attack make it different from the previous one in several ways. After the recent attack, the experts have concluded that the previous attack didn’t have a lot of features as compared to the recent attack, so the previous attack was lacking a lot of new features.

In this section, you will find a list of all the updated capabilities that the threat actors have introduced in the new attack they have launched.

  • app_start: Start Specified Application
  • show_push: Show Push notification
  • cookies_handler: Obtain Cookies
  • send_sms: Send SMS
  • make_ussd: Run USSD Code
  • call_forward: Forward Call
  • execute_rum: Run ATS Module

In order to exploit the move by banks to implement authenticator apps instead of SMS for two-factor authentication (2FA), the Xenomorph trojan incorporates an ATS module that allows it to launch the app and extract the authenticator codes from the app.

Cookie stealer capabilities have also been added to Xenomorph’s arsenal of weapons, which already boasts a wide range of capabilities. 

The best way to ensure that your phone is secure is to keep the number of apps running on it as low as possible and only install apps from trusted and known vendors.

Network Security Checklist – Download Free E-Book

Guru baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these systems to steal sensitive data, interrupt…

5 hours ago

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a threat actor to read sensitive files…

5 hours ago

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes. Resecurity researchers have recently revealed that…

5 hours ago

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million Ecuadorian citizens. The announcement was made…

6 hours ago

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery efforts following a recent cybersecurity breach.…

9 hours ago

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection for Amazon Simple Storage Service (Amazon…

10 hours ago