In the ever-evolving landscape of cybersecurity threats, a new menace has emerged targeting Android users in multiple countries, including the United States. Named Xenomorph, this malicious software has been making headlines since early 2022, and its recent campaign is particularly concerning. In this blog post, we'll delve into the details of Xenomorph, its evolution, and the latest campaign that has put U.S. banks and cryptocurrency wallets at risk.
Xenomorph first surfaced as a banking trojan in early 2022, focusing on European banks by employing screen overlay phishing techniques. It gained notoriety by being distributed through Google Play, accumulating over 50,000 installations. Its creators, known as "Hadoken Security," continued to refine their creation. In June 2022, a revamped version of Xenomorph was released, featuring modularity and enhanced flexibility. This upgrade earned Xenomorph a spot on Zimperium's list of top ten most prolific banking trojans, solidifying its status as a major threat.
In August 2022, ThreatFabric, a cybersecurity company, reported a significant development in Xenomorph's tactics. The malware was now being distributed through a dropper named "BugDrop," which effectively circumvented security features in Android 13. This marked a shift in the malware's distribution strategy.
Later that year, in December 2022, ThreatFabric analysts uncovered a new malware distribution platform called "Zombinder." This platform embedded the Xenomorph threat into legitimate Android apps' APK files, further complicating the detection and removal process.
By March 2023, Hadoken Security released the third major version of Xenomorph, featuring an automated transfer system (ATS) for on-device transactions, multi-factor authentication (MFA) bypass, cookie stealing capabilities, and the ability to target over 400 banks. This update indicated a growing sophistication in the malware's capabilities.
In the most recent campaign, Xenomorph operators employed phishing pages to trick visitors into downloading a malicious APK by falsely claiming a Chrome browser update was needed. Additionally, the new "ClickOnPoint" feature allows the operators to simulate taps at specific screen coordinates, bypassing confirmation screens and security warnings. An "antisleep" system prevents devices from turning off their screens, ensuring prolonged engagement and uninterrupted communication with command and control servers.
Users should exercise caution when prompted to update their mobile browsers, as these prompts may be part of malware distribution campaigns. Additionally, the collaboration between Xenomorph and potent Windows malware suggests either collaboration among threat actors or the possibility that Xenomorph is being sold as Malware-as-a-Service (MaaS).
Xenomorph Android malware has evolved significantly since its initial appearance in early 2022. Its latest campaign targeting U.S. banks and cryptocurrency wallets underscores the importance of robust mobile security measures. As the threat landscape continues to evolve, it is imperative for users and organizations to stay vigilant, keep their devices and software up to date, and educate themselves about the latest cybersecurity threats to safeguard their digital assets and sensitive information.