Xenomorph Banking Trojan: A New Variant Targeting 35+ U.S. Financial Institutions

Share:


In the ever-evolving landscape of cybersecurity threats, the Xenomorph banking Trojan has once again emerged as a significant concern for Android users, particularly in the United States. This updated variant of Xenomorph is not only persistent but also highly adaptable, with its sights set on more than 35 financial institutions in the U.S. Alongside U.S. targets, this malicious campaign has extended its reach to Spain, Canada, Italy, Portugal, and Belgium.

In this article, we will delve into the details of this potent banking Trojan, its evolution, and the methods it employs to compromise user data and financial security.

Xenomorph: A Brief Overview

Xenomorph first made its presence known in early 2022, initially targeting European banks through screen overlay phishing techniques. Initially distributed through Google Play, it managed to amass over 50,000 installations, earning it a reputation as a major threat. Its authors, operating under the name “Hadoken Security,” continuously improved the malware, turning it into a modular and adaptable banking Trojan.

Evolution of Xenomorph

The evolution of Xenomorph has been marked by its ability to adapt to changing security measures and technology. In August 2022, it bypassed security features in Android 13 with a new dropper named “BugDrop.” Later, in December 2022, a distribution platform known as “Zombinder” embedded the threat into legitimate Android apps’ APK files. By March 2023, Hadoken Security released a third major version of Xenomorph, equipped with an Automatic Transfer System (ATS) for autonomous on-device transactions, Multi-Factor Authentication (MFA) bypass capabilities, cookie theft, and the ability to target over 400 banks.

The Latest Campaign

The most recent campaign involving Xenomorph is particularly noteworthy. Instead of relying on app store distribution, the malware operators have turned to phishing pages, tricking users into downloading malicious APKs under the guise of updating their Chrome browsers. While the Trojan still employs overlay attacks to steal sensitive information, it has expanded its range to include financial institutions in the United States and numerous cryptocurrency apps.

Each Xenomorph sample is now loaded with approximately a hundred overlays targeting different sets of banks and crypto apps, tailored to the specific demographics of the victim. This approach allows the Trojan to effectively steal precious Personally Identifiable Information (PII) from infected devices.

New Features

While the latest Xenomorph samples might not be drastically different from their predecessors, they do come with new features indicating the ongoing refinement of the malware. One such feature is the “mimic” capability, allowing the Trojan to impersonate other applications and increase the opportunities for ransomware attacks. This eliminates the need to hide icons from the app launcher, a behavior often flagged by mobile security tools.

Another new feature is “ClickOnPoint,” which enables Xenomorph operators to simulate taps at specific screen coordinates. This allows them to bypass confirmation screens or perform simple actions without triggering security warnings.

Furthermore, an “antisleep” system prevents the device from turning off its screen using an active notification. This helps maintain engagement and avoids interruptions that might require re-establishing command and control communications.

Collaboration and Windows Malware

Analysts, by exploiting weak security measures in the malware operator’s infrastructure, uncovered additional malicious payloads. These include Android malware variants like Medusa and Cabassous, as well as Windows information stealers like RisePro and LummaC2, and the Private Loader malware loader.

The presence of potent Windows malware alongside Xenomorph suggests possible collaboration between threat actors or the potential of Xenomorph being sold as Malware-as-a-Service (MaaS).

The Xenomorph banking Trojan’s latest variant represents a significant threat to Android users, especially those in the United States and various European countries. Its adaptability, persistence, and the continuous development efforts of its creators make it a force to be reckoned with. Users are urged to exercise caution when prompted to update their browsers on mobile devices, as these prompts may be part of malware distribution campaigns.

The presence of potent Windows malware alongside Xenomorph suggests possible collaboration between threat actors or the potential of Xenomorph being sold as Malware-as-a-Service (MaaS).

The Xenomorph banking Trojan’s latest variant represents a significant threat to Android users, especially those in the United States and various European countries. Its adaptability, persistence, and the continuous development efforts of its creators make it a force to be reckoned with. Users are urged to exercise caution when prompted to update their browsers on mobile devices, as these prompts may be part of malware distribution campaigns.

How Ampcus Cyber Can Help Businesses??

For such advanced and persistent threats like the Xenomorph banking Trojan, organizations and individuals need robust cybersecurity solutions to protect their data and financial assets. This is where Ampcus Cyber comes into play. Ampcus Cyber is a leading cybersecurity firm specializing in threat detection, mitigation, and prevention.

Ampcus Cyber offers advanced data security and compliance solutions designed to safeguard against evolving threats like Xenomorph. Our team at Ampcus Cyber utilizes advanced threat intelligence and cybersecurity tools to identify and neutralize banking Trojans and other malware.

Vigilance and the use of reliable security measures are essential to protect against this evolving threat in the world of cybersecurity.
Stay informed and stay secure!

Enjoyed reading this article? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.