The Xenomorph banking trojan has returned with a vengeance, posing an even greater risk to android users. This updated version of Xenomorph targets over 100 banking and cryptocurrency apps, including 35 major U.S. financial institutions. The campaign, discovered by Dutch cybersecurity firm ThreatFabric, employs sophisticated phishing techniques, expanding its reach to countries such as Spain, Canada, Italy, Portugal, and Belgium.
In this article, we delve into the latest developments surrounding the malware, its modus operandi, and provide essential tips to safeguard your Android device against this evolving threat.
As a variant of the Alien banking malware, it has undergone several iterations, each one more potent and dangerous than the last. The latest version not only targets a wide array of banking and cryptocurrency apps but also boasts an “antisleep” feature, allowing it to keep a devices’s screen active, a “mimic” capability to impersonate other apps, and a “ClickOnPoint” function to simulate screen taps.
To distribute this malware, threat actors have resorted to phishing websites as their preferred attack vector. Victims are unwittingly lured into downloading malicious Android apps through counterfeit sites that falsely claim an urgent need to update the Chrome browser. Users who fall for this ruse unwittingly install a malicious APK file containing Xenomorph, which subsequently infects their smartphones.
Xenomorph’s primary objective remains unchanged: the theft of user credentials from banking and cryptocurrency applications. It achieves this through deceptive overlay attacks, displaying counterfeit login screens atop legitimate apps. When the targeted user enters their login information into these overlays, the app steals their credentials.
Notable targets include Chase, Citi, Bank of America, Capital One, PNC, Santander, TD Bank, Wells Fargo, Coinbase, and Binance. The overlays are location-specific, tailored to victims’ geographic locations.
One of the standout features of this updated Xenomorph version is the “Automatic Transfer System” (ATS), which grants the malware operators, known as Hadoken Security, full control over compromised devices. ATS exploits Android’s accessibility privileges to illicitly transfer funds from victims’ accounts to accounts controlled by the threat actors. Additionally, Xenomorph is known to target Samsung and Xiaomi devices, comprising a significant portion of the Android market.
To safeguard against Android malware, users should exercise caution by being cautious:
Always be on the lookout for anything that seems off. If you aren’t sure on the legitimacy of a file, reach out to an IT Professional or ignore the file. Very rarely will someone legitimate send you an APK file directly.
Sideloading is the term used when you install apps without using an official app store (Google Play, Samsung Galaxy Store, Amazon Appstore) to install them. Downloading a .apk file from a developer and installing it into your android device manually is one of the methods you would want to avoid. Another would be downloading a 3rd party app store to get around the restrictions of the official one. Since those installers are not vetted by the official app store for your device , you can’t be entirely sure if something malicious is included in them.
Consider installing top-rated Android antivirus applications to protect your device. While Google Play Protect scans for malware, dedicated Android antivirus apps offer more comprehensive security features. Most apps are free, or are included with your phone.
Be on the lookout for any webpages that ask you to undergo a browser update to proceed. In the large majority of scenarios, your browser will keep it self up to date through the app store. If you want to ensure that your browser stays up to date you can enable automatic updates. It’s as simple as setting it and forgetting it. With that setting enabled, you can safely ignore all messages from any websites asking you to update.
Xenomorph Android banking trojan remains a persistent and evolving threat, with its latest version targeting an extensive range of financial and cryptocurrency apps. By staying vigilant, avoiding suspicious updates, sideloading, and installing reputable antivirus software, Android users can bolster their device’s security against this and similar threats.
Given the ever-evolving nature of Xenomorph, continued awareness and proactive protection are essential in safeguarding your Android device from potential harm. As cybercriminals continue to refine and expand their tactics, it is crucial to remain informed and take measures to protect your digital assets and sensitive information.
And always remember to trust your gut. If something seems off, it probably is worth caution.
Source: https://www.threatfabric.com/blogs/xenomorph-malware-strikes-again-over-30-us-banks-now-targeted