A new Android banking trojan called Xenomorph is gaining popularity among threat actors who are using the malware to steal credentials from over 450 apps, including cryptocurrency wallets, email services and over 50 European banking apps, Spanish apps in particular. Xenomorph, which was first seen in late February, was distributed through the official Google Play store by masquerading as a legitimate application. As a result, over 500,000 users have installed the malware.
Due to its wide range of capabilities, even accounts protected by multifactor authentication (MFA) are at risk of credential theft and account takeover (ATO) fraud, making it crucial that all businesses learn how to protect their users from the trojan. This blog post will explain what Xenomorph is capable of, how it works and how the Transmit Security Platform can help businesses protect their users from Xenomorph attacks.
Xenomorph made its way onto users’ devices by way of over 50 applications distributed on the Google Play store. Once one of the apps is installed, it downloads a payload that enables it to log extensive data on how users interact with targeted applications.
Xenomorph is capable of harvesting:
Because the malware is not fetched until after a bogus application is installed, it is not flagged by Google as malicious during screening for the Google Play store, resulting in the widespread distribution of many applications containing the malware. In addition, the malware cannot be uninstalled by users once a device is infected, and discussion on the dark web indicates the malware’s continued popularity among threat actors, as shown below.
Hy guyz what s the best android malware in 2023? And can u tell me please what opinion u have on ermac hydra?
Hard to say which might be the best for this year, ermac and hydra are good, sharkbot and xenomorph too, it may depend on how much you’re willing to pay for a rent of course, Alien from what I hear is in definitive decline, or if you know how to arrange something, good old anubis
Furthermore, researchers found commands and placeholders within the trojan for future features that could extend its functionality due to the trojan’s modular structure, which can be easily scaled and updated.
When a user downloads an infected app, Xenomorph malware is dropped from Github and executes an overlay attack that exploits Android’s accessibility service, which is capable of monitoring and executing a wide range of actions that improve disabled users’ access to applications.
Once Xenomorph is installed, it repeatedly asks users to enable accessibility services. After receiving access permissions, it adds itself as a device admin and prevents the user from removing the configuration, making the malware uninstallable. Xenomorph then searches for targeted applications on the device and sends back the list of installed packages to download the corresponding overlays, which mimic the interfaces of legitimate applications.
As soon as the malware is up and running, the device’s background services will receive information about accessibility events, such as opening a targeted application. When this occurs, Xenomorph will execute the overlay injection, tricking users into believing they are interacting with the legitimate application so it can steal users’ credentials, one-time passwords and other sensitive information.
Transmit Security’s Detection and Response service protects businesses against fraudsters who may use Xenomorph to steal users’ credentials or use harvested data to perform account takeover attacks.
Detection and Response prevents malware credential theft via features designed to detect infected devices in real time:
In addition, Detection and Response prevents ATO attacks from fraudsters armed with data harvested by malware. It does this by analyzing a broad range of telemetry signals using multiple real-time detection methods, including:
After analyzing a relevant action, such as a login or transaction, Detection and Response returns a transparent recommendation for handling each request along with the top reasons for the recommendation, such as the detection of a known malicious device, impossible travel or the use of TOR networks. Businesses can use these recommendations as action triggers to block requests from compromised devices or suspicious users.
Detection and Response is already being used by some of the world’s largest and most trusted financial institutions to detect and mitigate fraud. Find out more by reading our case study on how a leading U.S. bank achieved 1300% ROI with Detection and Response, or contact sales to request a personalized demo.