The cybercriminals behind a complicated Android banking Trojan known as Xenomorph, who’ve been actively focusing on customers in Europe for greater than a yr, lately set their sights on clients of greater than two dozen US banks.
Amongst these within the risk actor’s crosshairs are clients of main monetary establishments corresponding to Chase, Amex, Ally, Citi Cellular, Residents Financial institution, Financial institution of America, and Uncover Cellular. New samples of the malware analyzed by researchers at ThreatFabric confirmed that it additionally accommodates extra options focusing on a number of crypto wallets together with Bitcoin, Binance, and Coinbase.
Hundreds of Android Customers Affected
In a report this week, the Netherlands-based cybersecurity vendor mentioned 1000’s of Android customers in the USA and Spain since simply August have downloaded the malware on their methods.
“Xenomorph, after months of hiatus, is again, and this time with distribution campaigns focusing on some areas which have been traditionally of curiosity for this household, like Spain or Canada, and including a big listing of targets from the USA,” ThreatFabric mentioned. Customers of Android gadgets from Samsung and Xiaomi — which collectively maintain round 50% of Android market share — seem like targets of particular curiosity for the risk actor.
Malware like Xenomorph spotlight the rising and more and more subtle nature of cellular threats, particularly for Android customers. A research launched by Zimperium earlier this yr confirmed that risk actors are considerably extra fascinated about Android than iOS due to the upper variety of vulnerabilities which might be current within the Android setting. Zimperium discovered that Android app builders additionally are inclined to make extra errors when creating apps than iOS builders do.
For the second, adware and different doubtlessly undesirable functions stay the highest risk for Android customers. However banking Trojans corresponding to Xenomorph more and more imperil these gadgets. Within the first quarter of 2023 the share of banking Trojans as a proportion of all different cellular threats elevated to almost 19% in comparison with 18% the earlier quarter. The extra notable amongst them included distant entry Trojans with capabilities for stealing banking data corresponding to SpyNote.C, Hook, Malibot, and Triada.
Alien to Xenomorph
ThreatFabric was first reported on Xenomorph in February 2022 after recognizing the banking Trojan masquerading as respectable apps and utilities on Google’s Play cellular app retailer. One in every of them was “Quick Cleaner” an app that presupposed to take away litter and optimize battery life, but in addition sought to steal credentials to accounts belonging to clients of some 56 main European banks. Greater than 50,000 Android customers downloaded the app on their Android gadgets.
At the moment the malware was nonetheless underneath lively improvement. Its many options included these for harvesting system data, intercepting SMS messages, and enabling on-line account takeovers. The corporate assessed that the builders of Xenomorph had been seemingly the identical — or had some connection to — as those behind one other energy Android distant entry Trojan known as Alien.
Like different banking malware, Xenomorph contained overlays that spoofs the account login pages of all of the focused banks, the researchers discovered of their 2022 evaluation. So when an Android consumer with a compromised system tried to log into an account with any of the banks on the goal listing, the malware routinely displayed a spoofed model of that financial institution’s login web page for capturing usernames, passwords, and different account data. Xenomorph additionally supported options for intercepting and stealing two-factor authentication tokens despatched by way of SMS messages, giving the attackers a solution to take over on-line accounts and steal funds from them.
Enter the brand new marketing campaign in August 2023: on this newest spherical, the risk actors seem to have switched their main malware distribution mechanism. As an alternative of smuggling Xenomorph into Google Play, the operators of the malware are actually distributing it by way of phishing Internet pages. In lots of circumstances, these pages have presupposed to be trusted Chrome browser replace websites and or Google Play retailer web sites.
One notable side about the latest model of Xenomorph is its subtle and versatile Computerized Switch System (ATS) framework for routinely transferring funds from a compromised system to an attacker managed one. Xenomorph’s ATS engine accommodates a number of modules that enable the risk actor to take management of a compromised system and execute quite a lot of malicious actions.
These embody modules that enable the malware to grant itself all of the permissions it must run unhindered on a compromised system. Different options enable the malware to disable settings, dismiss safety alerts, cease system resets and system uninstalls, and stop sure privileges from being revoked. Many of those are features that had been current in preliminary variations as effectively.
What’s new are capabilities that enable the malware to write down to storage and to stop a compromised system from slipping into “sleep” mode.
“Xenomorph maintains its standing as a particularly harmful Android banking malware, that includes a really versatile and highly effective ATS engine, with a number of modules already created, with the concept of supporting a number of producer’s gadgets,” ThreatFabric mentioned.