Xenomorph Android Banking Trojan Makes Landfall in US – Supply: securityboulevard.com

A classy Android banking trojan that was first seen final 12 months concentrating on banking apps in a number of European nations has made its approach throughout the Atlantic Ocean, trying to steal credentials and cash from clients of such U.S. monetary establishments as Chase, Financial institution of America, American Categorical, and USAA.

In all, the Xenomorph malware is zeroing in on customers of greater than three dozen such organizations, adopted by Spain and Canada in a marketing campaign that began in August, in accordance with researchers with Netherlands-based cybersecurity agency ThreatFabric.

The quickly evolving banking trojan is just not solely making its approach into the USA, however it comes with a variety of new options, together with an anti-sleep functionality to maintain the compromised system from into sleep mode and a “mimic” function to allow the trojan to behave like every other app on the system somewhat than malware.

“Xenomorph, after months of hiatus, is back, and this time with distribution campaigns targeting some regions that have been historically of interest for this family, like Spain or Canada, and adding a large list of targets from the United States, as well as multiple new Cryptowallets,” the researchers wrote in a report this week.

ThreatFabric first reported on Xenomorph in February 2022, concentrating on the customers of 56 European banks and distributed by way of the official Google Play Retailer, with greater than 50,000 installations on the time.

This comes at a time when the variety of banking trojans are on the rise as cell providers and applied sciences grow to be extra prevalent. Kaspersky earlier this 12 months mentioned that it detected 196,476 cell banking trojans in 2022, twice as many because the earlier 12 months and the most important quantity in six years.

“This underscores that cybercriminals are targeting mobile users and increasingly more interested in stealing financial data and actively investing in the creation of new malware, which may lead to major losses for their targets,” Kaspersky researchers wrote of their report.

Overlays and an ATS Framework

The malware makes use of overlays to steal a variety of delicate information like customers’ credentials – together with usernames and passwords – and bank card numbers and might bypass two-factor authentication (2FA) protections by intercepting SMS textual content messages and notifications utilizing fraudulent login screens that sit atop the respectable banking apps.

“The control server transmits to the bot a list of URLs containing the address from which the malware can retrieve the overlays for the infected device,” the researchers wrote. “Such overlays are encrypted using a combination of an algorithm specific to Xenomorph and AES. Once decrypted, the overlay poses as login pages for the targeted applications.”

Xenomorph additionally makes use of an automatic switch system (ATS) engine that gives numerous actions – what risk actors name “modules” – that can be utilized and chained into sequences to control the settings of the compromised gadgets, together with disabling safety and different options, write permissions, and acquire Google Authenticator 2FA codes.

In line with the ThreatFabric researchers, the operators behind Xenomorph have aimed lots of their modules at Samsung and Xaomi telephones, which they mentioned account for about half of the Android OS market share.

The brand new marketing campaign not solely added U.S. monetary establishments to its record of targets, but additionally a number of cryptocurrency pockets purposes, totaling greater than 100 completely different targets in every pattern of the malware ThreatFabric analyzed, every utilizing an overlay particularly crafted for every establishment and pockets.

Increasing the Goal Areas

A lot of what the Xenomorph operators are doing dovetails with actions of different malware teams.

“Many other malware families have started expanding their area of interest across the Atlantic Ocean, including the most distributed MaaS (Malware-as-a-Service) families, such as Octo, Hydra, and Hook, and some of the most notorious privately operated families, such as Anatsa.”

The marketing campaign additionally distributed the malware by way of phishing pages posing as a Chrome replace, consistent with the lures utilized by different malware households which might be frequent and generic, together with Google Chrome browser or Google Play retailer. That is more likely to make focused customers much less suspicious and extra more likely to have the apps put in on their gadgets.

The researchers discovered that the newest marketing campaign is closely centered on Spain, the place there have been greater than 3,000 downloads within the span of some weeks. The US and Portugal even have massive numbers of downloads, with greater than 100 every.

In addition they famous that extra not too long ago, the system that was distributing Xenomorph started distributing the Octo’s ExobotCompact trojan. It’s both as a result of the server is being utilized by one actor utilizing a number of threats or the server is a part of a distribution service, with samples being given to the distributor to ship out, primarily utilizing the identical server for disparate operators and campaigns.

Pulling in Desktops

One other quirk with the brand new Xenomorph marketing campaign is that it is also concentrating on desktops with such info-stealers as RisePro and LummaC2.

“The fact that we saw Xenomorph being distributed side-by-side with powerful desktop stealers is very interesting news,” the ThreatFabric researchers wrote. “It could indicate a connection between the threat actors behind each of these malware, or it could mean that Xenomorph is being officially sold as a MaaS to actors, who operate it together with other malware families.”

That added that “in each case, it indicates an activity from Xenomorph which we have not seen before, but which we night see a lot of in the near future.”