Advisory ID: NCC-CSIRT-0222-0005
Summary: XENOMORPH, is a newly hatched malicious software that steals users banking App login credentials and has been found to target 56 financial institutions from Europe. It was named “Xenomorph” by researchers at "Threatfabric" because of the similarities in its code to that of the notorious banking Trojan "Alien", which has made researchers to believe that it is either the successor to “Alien” or that they both were created by the same Person. The main intent of this malware is to steal credentials, combined with the use of SMS and Notification interception to log-in and use potential 2-factor Authentication tokens.
Vulnerable Platform(s): All Android devices
Threat Type: Bypass authentication, Data Theft.
Description: Xenomorph is propagated by an application that was slipped into Google play store by masquerading as a legitimate application called ""Fast Cleaner"" meant to clear junk, increase device speed and optimize battery while in reality, this app is only a means by which the Xenomorph Trojan could be propagated easily and efficiently. To avoid early detection or being denied access to the Play Store “Fast Cleaner” was disseminated before the malware was placed on the remote server, making it hard for Google to determine that such an app is being used for malicious actions. Once up and running on a victim’s device, Xenomorph can harvest device information and SMS messages, intercept notifications and new SMS messages, perform overlay attacks, and prevent users from uninstalling it. The threat also asks for Accessibility Services privileges, which allow it to grant itself further permissions. The malware also steals victims’ banking credentials by overlaying fake login pages on top of legitimate ones. Because it can also intercept messages and notifications, it allows its operators to bypass SMS-based two-factor authentication and log into the victims’ accounts without alerting them. Xenomorph has been found to target 56 internet banking apps, 28 from Spain, 12 from Italy, 9 from Belgium, and 7 from Portugal, as well as Cryptocurrency wallets and general-purpose applications like emailing services. The Fast Cleaner app has now been removed from the Play Store but not before it garnered 50,000+ downloads.
Consquences: The attacker would be able to steal login details of a user’s Banking App, Cryptocurrency and even general use services like E-mail.
Impact/Probability: HIGH/HIGH
Solution
- Android Users are advised to use trusted Antivirus Solutions and update them regularly to the latest definitions.
- Always update banking applications to the latest definitions.
References:
- https://www.bleepingcomputer.com/news/security/new-xenomorph-android-malware-targets-customers-of-56-banks/
- https://www.securityweek.com/xenomorph-android-trojan-targets-56-banking-applications
- https://www.threatfabric.com/blogs/xenomorph-a-newly-hatched-banking-trojan.html
- https://threatpost.com/xenomorph-malware-google-play-facehugger/178563/
- https://www.androidpolice.com/xenomorph-malware-banking-trojan/
- https://in.ign.com/android/170656/news/xenomorph-banking-malware-explained-concerning-trojan-found-in-s ome-play-store-apps-and-how-it-can-a