Malware "Xenomorph" discovered on the Play Store

Feb 24, 2022 - 18:58
 14
Malware "Xenomorph" discovered on the Play Store

Researchers from the business ThreatFabric, which specializes in the prevention of fraud and cybercrime, examined the Xenomorph virus and discovered code that resembled the banking Trojan Alien.

New spyware named Xenomorph, which is disseminated through the Google Play Store has infected over 50,000 Android devices in order to steal users' banking information.

Xenomorph, which is still in its early phases of development, is aimed at users of dozens of financial institutions in Spain, Portugal, Italy, and Belgium.

ThreatFabric, a business that prevents fraud and cybercrime, examined Xenomorph and discovered code that resembled the Alien banking Trojan. This implies that the two threats are linked in some way: either Xenomorph is Alien's successor or they were created by the same person.

Banking Trojans such as Xenomorph steal sensitive financial data, take over accounts, or conduct illicit transactions, and then fraudsters sell the stolen data to prospective bidders.

Xenomorph has made its way into the Google Play Store via generic performance-enhancing apps such as Fast Cleaner, which has 50,000 downloads.

Because there is always interest in products that promise to increase the performance of Android devices, such programs are a typical lure utilized by banking Trojans, including Aliena.

Fast Cleaner retrieves malicious code only after installation to avoid rejection during application evaluation by the Play Store, ensuring that the program is clean at the time of submission to the Play Store.

ThreatFabric identified the program as a part of the "Gymdrop" family of malicious applications, which were discovered in November 2021 and have since been under the scrutiny of computer security specialists.

Xenomorphic abilities

Xenomorph's functionality is currently limited due to the Trojan's intensive development. However, it remains a big concern because it is capable of stealing information and targeting as many as 56 different European banks.

Malware, for example, can intercept notifications, record text messages, and create bogus login screens, allowing it to already steal credentials and one-time passwords required to secure bank accounts.

The first thing Xenomorph does after installation is sending back a list of installed packages on the infected device. He then asks for access to various information on the device in order to abuse the privileges and gain access to portions of the device to which he would not normally have access.

Its accessibility mechanism is extremely sophisticated and was created with a modular approach in mind. According to ThreatFabric, it has modules for each unique action required by the bot and can be readily modified to provide further capabilities.

Overall, because only small implementations and code updates are necessary to activate significant data extraction functions, Xenomorph can add next-level capabilities at any time.

Due to its "emerging" state, ThreatFabric believes that Xenomorph is not currently a significant threat. However, when compared to other recent Android banking Trojans, it has the potential to attain its full capacity over time.

Users are advised to avoid installing apps that offer unrealistic device capabilities in order to avoid Xenomorph or any other Android virus lurking in the Play Store.

Checking the reviews of other users can also help you avoid fraudulent software.