Advisory ID: NCC-CSIRT-130323-015
Summary: Xenomorph is a banking malware that has the capabilities to automatically complete fraudulent transactions on Infected devices from infection to funds exfiltration, making it one of the most advanced and dangerous Android Malware trojans in circulation.
Vulnerable Platform(s): Andriod Operating Systems
Threat Type: Malware
Product : Banking Applications/ Cryptocurrency wallets
Version: All Versions
Description: A new variant of the android banking trojan (Xenomorph 3rd Generation) named by Hadoken Security Group has surfaced with a new feature that allow it to perform financial fraud in a seamless manner. It abuses accessibility services to perform fraud through overlay attacks. It also packs in capabilities to automatically complete fraudulent transactions on infected devices, a technique called Automated Transfer System (ATS) which uses a module that allows it to launch the app and extract the authenticator codes. It also boasts of cookie-stealing functions, enabling the threat actors to perform account takeover attacks. Xenomorph is designed to target more than 400 banking and financial institutions, including several cryptocurrency wallets. The malicious code is distributed through Discord’s Content Delivery Network (CDN) and is delivered via trojanized versions of legitimate apps allowing them to automate the whole fraud chain from infection to funds exfiltration.
Consquences: Android malware boasts cookie stealing function to enable threat actor perform account takeover attacks to raid bank accounts and completely automate the whole fraud chain.
Impact/Probability: CRITICAL/HIGH
Solution :
- Install a reliable anti-malware solution
- Do not click on suspicious links and apps
- Users should not grant accessibility services privileges(permissions) if they do not know/understand why an application requires them.
- Be wary of emails and SMS containing suspicious attachments that has incorrect sender addresses and weird URLs.
- Update your devices with latest security patches from original manufacturer website or portal.
- Stay away from unofficial app stores
References:
https://thehackernews.com/2023/03/xenomorph-android-banking-trojan.html
https://www.hkcert.org/security-news
https://sigmacybersecurity.com/xenomorph-android-banking-trojan-returns-with-a-new-and-more-powerful-variant-unlock-the-secrets-of-financial-literacy-how-to-master-your-money/
https://malwaretips.com/threads/xenomorph-android-banking-trojan-returns-with-a-new-and-more-powerful-variant.121519/