Xenomorph Android Banking Trojan Makes Landfall in US

A sophisticated Android banking trojan that was first seen last year targeting banking apps in several European countries has made its way across the Atlantic Ocean, looking to steal credentials and money from customers of such U.S. financial institutions as Chase, Bank of America, American Express, and USAA.

In all, the Xenomorph malware is zeroing in on users of more than three dozen such organizations, followed by Spain and Canada in a campaign that started in August, according to researchers with Netherlands-based cybersecurity firm ThreatFabric.

The rapidly evolving banking trojan is not only making its way into the United States, but it comes with a number of new features, including an anti-sleep capability to keep the compromised device from into sleep mode and a “mimic” feature to enable the trojan to act like any other app on the device rather than malware.

“Xenomorph, after months of hiatus, is back, and this time with distribution campaigns targeting some regions that have been historically of interest for this family, like Spain or Canada, and adding a large list of targets from the United States, as well as multiple new Cryptowallets,” the researchers wrote in a report this week.

ThreatFabric first reported on Xenomorph in February 2022, targeting the users of 56 European banks and distributed through the official Google Play Store, with more than 50,000 installations at the time.

This comes at a time when the number of banking trojans are on the rise as mobile services and technologies become more prevalent. Kaspersky earlier this year said that it detected 196,476 mobile banking trojans in 2022, twice as many as the previous year and the largest number in six years.

“This underscores that cybercriminals are targeting mobile users and increasingly more interested in stealing financial data and actively investing in the creation of new malware, which may lead to major losses for their targets,” Kaspersky researchers wrote in their report.

Overlays and an ATS Framework

The malware uses overlays to steal a range of sensitive data like users’ credentials – including usernames and passwords – and credit card numbers and can bypass two-factor authentication (2FA) protections by intercepting SMS text messages and notifications using fraudulent login screens that sit atop the legitimate banking apps.

“The control server transmits to the bot a list of URLs containing the address from which the malware can retrieve the overlays for the infected device,” the researchers wrote. “Such overlays are encrypted using a combination of an algorithm specific to Xenomorph and AES. Once decrypted, the overlay poses as login pages for the targeted applications.”

Xenomorph also uses an automated transfer system (ATS) engine that provides a large number of actions – what threat actors call “modules” – that can be used and chained into sequences to manipulate the settings of the compromised devices, including disabling security and other features, write permissions, and obtain Google Authenticator 2FA codes.

According to the ThreatFabric researchers, the operators behind Xenomorph have aimed many of their modules at Samsung and Xaomi phones, which they said account for about half of the Android OS market share.

The new campaign not only added U.S. financial institutions to its list of targets, but also multiple cryptocurrency wallet applications, totaling more than 100 different targets in each sample of the malware ThreatFabric analyzed, each using an overlay specifically crafted for each institution and wallet.

Expanding the Target Regions

Much of what the Xenomorph operators are doing dovetails with activities of other malware groups.

“Many other malware families have started expanding their area of interest across the Atlantic Ocean, including the most distributed MaaS (Malware-as-a-Service) families, such as Octo, Hydra, and Hook, and some of the most notorious privately operated families, such as Anatsa.”

The campaign also distributed the malware via phishing pages posing as a Chrome update, in line with the lures used by other malware families that are common and generic, including Google Chrome browser or Google Play store. This is likely to make targeted users less suspicious and more likely to have the apps installed on their devices.

The researchers found that the most recent campaign is heavily focused on Spain, where there were more than 3,000 downloads in the span of a few weeks. The United States and Portugal also have large numbers of downloads, with more than 100 each.

They also noted that more recently, the system that was distributing Xenomorph began distributing the Octo’s ExobotCompact trojan. It’s either because the server is being used by one actor using multiple threats or the server is part of a distribution service, with samples being given to the distributor to send out, essentially using the same server for disparate operators and campaigns.

 Pulling in Desktops

Another quirk with the new Xenomorph campaign is that it also is targeting desktops with such info-stealers as RisePro and LummaC2.

“The fact that we saw Xenomorph being distributed side-by-side with powerful desktop stealers is very interesting news,” the ThreatFabric researchers wrote. “It could indicate a connection between the threat actors behind each of these malware, or it could mean that Xenomorph is being officially sold as a MaaS to actors, who operate it together with other malware families.”

That added that “in each case, it indicates an activity from Xenomorph which we have not seen before, but which we night see a lot of in the near future.”

Avatar photo

Jeffrey Burt

Jeffrey Burt has been a journalist for more than three decades, writing about technology since 2000. He’s written for a variety of outlets, including eWEEK, The Next Platform, The Register, The New Stack, eSecurity Planet, and Channel Insider.

jeffrey-burt has 326 posts and counting.See all posts by jeffrey-burt