Xenomorph

Security researchers discovered a new campaign that distributes a new version of the Xenomorph malware to Android users in the United States, Canada, Spain, Italy, Portugal, and Belgium.

Analysts at cybersecurity company ThreatFabric have been tracking Xenomorph activity since February 2022 and note that the new campaign launched in mid-August.

The latest version of Xenomorph is targeting users of cryptocurrency wallets and various U.S. financial institutions.

Xenomorph background

Xenomorph first appeared in the wild in early 2022, operating as a banking trojan that targeted 56 European banks through screen overlay phishing. It was distributed through Google Play, where it counted over 50,000 installations.

Its authors, "Hadoken Security," continued development, and in June 2022, they released a rewritten version that made the malware modular and more flexible.

By then, Xenomorph was on Zimperium's top ten most prolific banking trojans, so it had already achived the "major threat" status.

In August 2022, ThreatFabric reported that Xenomorph was being distributed via a new dropper named "BugDrop," which bypassed security features in Android 13.

In December 2022, the same analysts reported about a new malware distribution platform dubbed "Zombinder," which embedded the threat into legitimate Android apps' APK file.

Most recently, in March 2023, Hadoken released the third major version of Xenomorph, featuring an automated transfer system (ATS) for autonomous on-device transactions, MFA bypass, cookie stealing, and the ability to target over 400 banks.

New campaign

In the latest campaign, the malware operators opted to use phishing pages, luring visitors to update their Chrome browser and trick them into downloading the malicious APK.

Fake Chrome update notice
Fake Chrome update notice (ThreatFabric)

The malware continues to use overlays to steal information. However, it has now expanded its targeting scope to include financial institutions from the United States and multiple cryptocurrency apps.

Overlay mechanism in latest Xenomorph
Overlay mechanism in latest Xenomorph (ThreatFabric)

ThreatFabric explains that each Xenomorph sample is loaded with roughly a hundred overlays targeting different sets of banks and crypto apps, depending on the targeted demographic.

Number of targets seen in recent samples
Number of targets seen in recent samples (ThreatFabric)
"This latest campaign also added plenty of financial institutions from the United States, together with multiple crypto-wallet applications, totaling more than 100 different targets per sample, each one using a specifically crafted overlay to steal precious PII from the victim's infected device." - ThreatFabric
Banking trojans targeting U.S. institutions
Banking trojans targeting U.S. institutions (ThreatFabric)

Latest version

Although the new Xenomorph samples aren't vastly different from previous variants, they come with some new features indicating that its authors continue to refine and enhance the malware.

First, a new "mimic" feature can be activated by a corresponding command, giving the malware the capability to act as another application.

Additionally, mimic​​ has a built-in activity named IDLEActivity, which acts as a WebView to display legitimate web content from the context of a trusty process.

This system replaces the need to hide icons from the app launcher post-installation, which is flagged as suspicious behavior by most mobile security tools.

Xenomorph's new mimic system
Xenomorph's new mimic system (ThreatFabric)

Another new feature is "ClickOnPoint,", which allows Xenomorph operators to simulate taps at specific screen coordinates.

This allows the operators to move past confirmation screens or perform other simple actions without employing the full ATS module, which might trigger security warnings.

Finally, there's a new "antisleep" system that prevents the device from switching off its screen by means of an active notification.

This is useful for prolonging the engagement and avoiding interruptions that require re-establishing command and control communications.

Other findings

By taking advantage of weak security measures from the malware operator, ThreatFabric analysts could access their payload hosting infrastructure.

There, they discovered additional malicious payloads, including the Android malware variants Medusa and Cabassous, the Windows information stealers RisePro and LummaC2, and the Private Loader malware loader.

Users should be cautious with prompts to update their browsers, as those are likely part of malware distribution campaigns.

Xenomorph's distribution alongside potent Windows malware suggests collaboration between threat actors or the possibility of the Android trojan being sold as Malware-as-a-Service (MaaS).

Related Articles:

Android malware "FakeCall" now reroutes bank calls to attackers

New Octo Android malware version impersonates NordVPN, Google Chrome

Over 200 malicious apps on Google Play downloaded millions of times

TrickMo malware steals Android PINs using fake lock screen

New Google Pixel AI feature analyzes phone conversations for scams