Table of Contents

How to Protect Your Users from Xenomorph

A new Android banking trojan called Xenomorph is gaining popularity among threat actors who are using the malware to steal credentials from over 450 apps, including cryptocurrency wallets, email services and over 50 European banking apps, Spanish apps in particular. Xenomorph, which was first seen in late February, was distributed through the official Google Play store by masquerading as a legitimate application. As a result, over 500,000 users have installed the malware. 

Due to its wide range of capabilities, even accounts protected by multifactor authentication (MFA) are at risk of credential theft and account takeover (ATO) fraud, making it crucial that all businesses learn how to protect their users from the trojan. This blog post will explain what Xenomorph is capable of, how it works and how the Transmit Security Platform can help businesses protect their users from Xenomorph attacks.

Xenomorph distribution, targets and capabilities

Xenomorph made its way onto users’ devices by way of over 50 applications distributed on the Google Play store. Once one of the apps is installed, it downloads a payload that enables it to log extensive data on how users interact with targeted applications. 

Xenomorph is capable of harvesting:

  • Login credentials 
  • Personally identifying information
  • Emails 
  • 2FA codes 
  • Seed phrases from cryptocurrency wallets
  • Device information
  • Keylogging
  • Behavioral data

Because the malware is not fetched until after a bogus application is installed, it is not flagged by Google as malicious during screening for the Google Play store, resulting in the widespread distribution of many applications containing the malware. In addition, the malware cannot be uninstalled by users once a device is infected, and discussion on the dark web indicates the malware’s continued popularity among threat actors, as shown below.

Hy guyz what s the best android malware in 2023? And can u tell me please what opinion u have on ermac hydra?

Hard to say which might be the best for this year, ermac and hydra are good, sharkbot and xenomorph too, it may depend on how much you’re willing to pay for a rent of course, Alien from what I hear is in definitive decline, or if you know how to arrange something, good old anubis

Furthermore, researchers found commands and placeholders within the trojan for future features that could extend its functionality due to the trojan’s modular structure, which can be easily scaled and updated.

How Xenomorph works

When a user downloads an infected app, Xenomorph malware is dropped from Github and executes an overlay attack that exploits Android’s accessibility service, which is capable of monitoring and executing a wide range of actions that improve disabled users’ access to applications. 

Once Xenomorph is installed, it repeatedly asks users to enable accessibility services. After receiving access permissions, it adds itself as a device admin and prevents the user from removing the configuration, making the malware uninstallable. Xenomorph then searches for targeted applications on the device and sends back the list of installed packages to download the corresponding overlays, which mimic the interfaces of legitimate applications. 

As soon as the malware is up and running, the device’s background services will receive information about accessibility events, such as opening a targeted application. When this occurs, Xenomorph will execute the overlay injection, tricking users into believing they are interacting with the legitimate application so it can steal users’ credentials, one-time passwords and other sensitive information.

Protecting users from Xenomorph with Transmit Security

Transmit Security’s Detection and Response service protects businesses against fraudsters who may use Xenomorph to steal users’ credentials or use harvested data to perform account takeover attacks. 

Detection and Response prevents malware credential theft via features designed to detect infected devices in real time: 

  • Signature-based detection: Detection and Response uses signatures, or known patterns used in families of malware, to detect known compromised applications, malicious files that are associated with malware and environmental parameters left behind by malware.
  • Overlay detection: By integrating its SDK within the app, Detection and Response can detect in real-time when an overlay screen is used. 

In addition, Detection and Response prevents ATO attacks from fraudsters armed with data harvested by malware. It does this by analyzing a broad range of telemetry signals using multiple real-time detection methods, including:

  • Geo analysis: Detection and Response leverages information about users’ geolocation over time and flags requests that indicate suspicious behavior, such as impossible travel or locations that are not part of a user’s typical behavior and known to have high rates of fraud.
  • Link Analysis: Mapping the relationships between fraudsters’ IPs, devices and other telemetry enables Detection and Response to uncover fraud rings that may target multiple users in real time.
  • Device Reputation: Using advanced device fingerprinting, Detection and Response builds a profile of trusted devices and detects strong indicators of fraudulent activity such as emulators, virtual machines, malware, remote access trojans, spoofed devices and device farms. 
  • Network Reputation: Detection and Response uses a database of over one billion entities to identify attempted access by IPs that have been involved in previous attacks or are using TOR, data centers, proxies and anonymizers to hide their tracks.
  • Behavior Analysis: By combining many behavior-based data points, such as the average time to perform a specific action, mousing patterns and typical session journeys, Detection and Response builds a profile of trusted user behavior and analyzes each new action in real time using machine learning to detect anomalies that may indicate fraud. 

After analyzing a relevant action, such as a login or transaction, Detection and Response returns a transparent recommendation for handling each request along with the top reasons for the recommendation, such as the detection of a known malicious device, impossible travel or the use of TOR networks. Businesses can use these recommendations as action triggers to block requests from compromised devices or suspicious users. 

Detection and Response is already being used by some of the world’s largest and most trusted financial institutions to detect and mitigate fraud. Find out more by reading our case study on how a leading U.S. bank achieved 1300% ROI with Detection and Response, or contact sales to request a personalized demo.