Newly identified samples of Xenomorph Android banking Trojans show an expanded target list that now includes North American users, online fraud detection firm ThreatFabric reports.
Originally detailed in February 2022 and likely related to the infamous Alien banking Trojan, Xenomorph relies on overlays to steal users’ personal and login information. It can also intercept notifications and SMS messages to bypass two-factor authentication.
The malware relies on an Automated Transfer System (ATS) framework that supports a wide range of actions that can be chained together in sequences to manipulate infected devices, collect information, disable security features, and hide malware. malicious activity.
Last year, the threat was seen targeting banking apps from Belgium, Italy, Portugal and Spain, as well as some cryptocurrency wallets and messaging apps, but recently identified samples show a list of broader targets.
According to ThreatFabric, Xenomorph variants observed in August 2023 show that the malware has matured, adding several new modules that make it more effective.
Distributed via phishing pages masquerading as a Chrome update but instead delivering a malicious APK, Xenomorph has been updated with dozens of new overlays for financial institutions in the United States, Portugal and Spain. Spain, as well as for several crypto wallets.
Following the update, the malware can now target more than 30 financial apps used in the United States, 25 used in Spain, and more than 15 banking apps in Canada.
Each of the newly observed samples contains more than 100 overlays specially designed to steal personal and financial information from victims’ devices.
The samples also show that Xenomorph has been updated with new commands to start/stop an impersonation function, to prevent the device from entering sleep mode, and to simulate a touch on specific screen coordinates.
According to ThreatFabric, mimetic activity allows the malware to impersonate another application running on the device, to avoid triggering behavior detection.
ThreatFabric discovered that the malware’s operators were not restricting access to their distribution server, which also contains information about Xenomorph distribution and evidence that desktop users are also being targeted.
“This campaign is heavily focused on Spain, with over 3,000 downloads in the space of a few weeks, followed by a large margin of downloads from the United States and Portugal, with over 100 downloads each,” says the fraud detection company.
Analysis of files on the distribution server also showed use of the RisePro, Private Loader and LummaC2 thieves, suggesting that the server could be part of a distribution service.
“The fact that we saw Xenomorph being distributed side by side with powerful office thieves is very exciting news. This could indicate a connection between the threat actors behind each of these malware families, or it could mean that Xenomorph is officially being sold as MaaS to actors who exploit it along with other malware families,” concludes ThreatFabric.
Related: New Android Trojan ‘MMRat’ Targets Users in Southeast Asia
Related: New Android Trojans Infected Many Devices in Asia Via Google Play and Phishing