The cybercriminals behind a complicated Android banking Trojan known as Xenomorph, who’ve been actively focusing on customers in Europe for greater than a yr, just lately set their sights on prospects of greater than two dozen US banks.
Amongst these within the menace actor’s crosshairs are prospects of main monetary establishments similar to Chase, Amex, Ally, Citi Cellular, Residents Financial institution, Financial institution of America, and Uncover Cellular. New samples of the malware analyzed by researchers at ThreatFabric confirmed that it additionally incorporates further options focusing on a number of crypto wallets together with Bitcoin, Binance, and Coinbase.
1000’s of Android Customers Affected
In a report this week, the Netherlands-based cybersecurity vendor mentioned 1000’s of Android customers in the US and Spain since simply August have downloaded the malware on their programs.
“Xenomorph, after months of hiatus, is back, and this time with distribution campaigns targeting some regions that have been historically of interest for this family, like Spain or Canada, and adding a large list of targets from the United States,” ThreatFabric said. Customers of Android gadgets from Samsung and Xiaomi — which collectively maintain round 50% of Android market share — seem like targets of particular curiosity for the menace actor.
Malware like Xenomorph spotlight the rising and more and more subtle nature of cellular threats, particularly for Android customers. A study released by Zimperium earlier this yr confirmed that menace actors are considerably extra serious about Android than iOS due to the upper variety of vulnerabilities which can be current within the Android surroundings. Zimperium discovered that Android app builders additionally are inclined to make extra errors when growing apps than iOS builders do.
For the second, adware and different doubtlessly undesirable functions stay the highest menace for Android customers. However banking Trojans similar to Xenomorph increasingly imperil these devices. Within the first quarter of 2023 the share of banking Trojans as a proportion of all different cellular threats increased to nearly 19% in comparison with 18% the earlier quarter. The extra notable amongst them included distant entry Trojans with capabilities for stealing banking information similar to SpyNote.C, Hook, Malibot, and Triada.
Alien to Xenomorph
ThreatFabric was first reported on Xenomorph in February 2022 after recognizing the banking Trojan masquerading as authentic apps and utilities on Google’s Play cellular app retailer. One among them was “Fast Cleaner” an app that presupposed to take away litter and optimize battery life, but additionally sought to steal credentials to accounts belonging to prospects of some 56 main European banks. Greater than 50,000 Android customers downloaded the app on their Android gadgets.
At the moment the malware was nonetheless underneath energetic growth. Its many options included these for harvesting gadget data, intercepting SMS messages, and enabling on-line account takeovers. The corporate assessed that the builders of Xenomorph had been probably the identical — or had some connection to — as those behind one other energy Android distant entry Trojan known as Alien.
Like different banking malware, Xenomorph contained overlays that spoofs the account login pages of all of the focused banks, the researchers discovered of their 2022 evaluation. So when an Android consumer with a compromised gadget tried to log into an account with any of the banks on the goal record, the malware routinely displayed a spoofed model of that financial institution’s login web page for capturing usernames, passwords, and different account data. Xenomorph additionally supported options for intercepting and stealing two-factor authentication tokens despatched by way of SMS messages, giving the attackers a option to take over on-line accounts and steal funds from them.
Enter the brand new marketing campaign in August 2023: on this newest spherical, the menace actors seem to have switched their major malware distribution mechanism. As a substitute of smuggling Xenomorph into Google Play, the operators of the malware are actually distributing it by way of phishing Net pages. In lots of instances, these pages have presupposed to be trusted Chrome browser replace websites and or Google Play retailer web sites.
One notable side about the newest model of Xenomorph is its subtle and versatile Automated Switch System (ATS) framework for routinely transferring funds from a compromised gadget to an attacker managed one. Xenomorph’s ATS engine incorporates a number of modules that permit the menace actor to take management of a compromised gadget and execute a wide range of malicious actions.
These embrace modules that permit the malware to grant itself all of the permissions it must run unhindered on a compromised gadget. Different options permit the malware to disable settings, dismiss safety alerts, cease gadget resets and gadget uninstalls, and forestall sure privileges from being revoked. Many of those are features that had been current in preliminary variations as properly.
What’s new are capabilities that permit the malware to put in writing to storage and to forestall a compromised gadget from slipping into “sleep” mode.
“Xenomorph maintains its status as an extremely dangerous Android banking malware, featuring a very versatile and powerful ATS engine, with multiple modules already created, with the idea of supporting multiple manufacturer’s devices,” ThreatFabric mentioned.
Author: Jai Vijayan, Contributing Author, Darkish Studying
Date: 2023-09-25 17:17:00