Todo: Day Manager Installs Banking Trojan Malware (Xenomorph) That Steals Banking Login Details

Advisory ID: NCC-CSIRT-2811-058 

Summary: The app is called Todo a day manager which installs a banking trojan malware called Xenomorph which can hijack your login info from banking apps, and can even read your SMS messages.

Vulnerable Platform(s): Android Operating Systems

Threat Type:  

• Malware

Product :  Todo:  Day Manager  

Version:   All versions  

Description: According to Zscaler ThreatLabz, The Todo: Day Manager hijack your login info from banking apps, and can even read your SMS messages. It installs a banking trojan malware called Xenomorph, that allows the app to intercept your two-factor verification codes (typically delivered over text) to raid your logins – and bank account. Xenomorph performs overlay attacks by exploiting accessibility permissions in Android, resulting in the overlaying of fraudulent login screens on banking apps aimed at exfiltrating credentials. The Android app makes itself intentionally difficult to delete. You need to search your phone for it immediately and uninstall it. It starts with asking users to enable access permission, once provided, it adds itself as a device admin and prevents users from disabling Device Admin, making it un-installable from the phone.  If you haven't given permissions to the app then you should be able to uninstall it safely. Otherwise, you may have to back up your files and then factory-reset your phone to clear the app completely.

Consquences: Steals login info from banking apps to raid bank accounts and reads your SMS messages.

Impact/Probability: HIGH/HIGH

Solution : 

• Search your phone for the app and uninstall immediately or backup your files and factory reset your phone.
• Only search for an app in the Google Play Store, pay close attention to the search results, look at the apps icons, note that fake apps almost always use the icon from the app they're faking, then look at the developer’s name and make sure it's from the right developer. Also, look at the app's download count. If the app has a lot of downloads going into millions to hundreds of thousand that’s a clue that it’s the right app. Then finally look at the app's description and screenshots to ensure that its doesn’t contain multiple spelling or grammar mistakes, or otherwise broken English.
• Make use of Google Play Protect which regularly scans your apps for malware and will alert you to uninstall rogue apps.

References:

• https://www.thesun.co.uk/tech/20430974/android-warning-banking-trojan-app-dangerous/ 

• https://www.scmagazine.com/brief/application-security/xenomorph-banking-trojan-spread-by-android-dropper-apps 

• https://thecyberexpress.com/tag/todo-day-manager/