Thursday September 19, 2024

Xenomorph (Xenomorph 3rd generation) Android Banking Trojan That performs Financial Fraud in a seamless manner

Advisory ID: NCC-CSIRT-130323-015

Summary:  Xenomorph is a banking malware that has the capabilities to automatically complete fraudulent transactions on Infected devices from infection to funds exfiltration, making it one of the most advanced and dangerous Android Malware trojans in circulation.

Vulnerable Platform(s): Andriod Operating Systems

Threat Type:  Malware

Product :  Banking Applications/ Cryptocurrency wallets

Version:  All Versions

Description:  A new variant of the android banking trojan (Xenomorph 3rd Generation) named by Hadoken Security Group has surfaced with a new feature that allow it to perform financial fraud in a seamless manner. It abuses accessibility services to perform fraud through overlay attacks. It also packs in capabilities to automatically complete fraudulent transactions on infected devices, a technique called Automated Transfer System (ATS) which uses a module that allows it to launch the app and extract the authenticator codes. It also boasts of cookie-stealing functions, enabling the threat actors to perform account takeover attacks. Xenomorph is designed to target more than 400 banking and financial institutions, including several cryptocurrency wallets. The malicious code is distributed through Discord’s Content Delivery Network (CDN) and is delivered via trojanized versions of legitimate apps allowing them to automate the whole fraud chain from infection to funds exfiltration. 

Consquences:  Android malware boasts cookie stealing function to enable threat actor perform account takeover attacks to raid bank accounts and completely automate the whole fraud chain.

Impact/Probability: CRITICAL/HIGH

Solution : 
  • Install a reliable anti-malware solution
  • Do not click on suspicious links and apps
  • Users should not grant accessibility services privileges(permissions) if they do not know/understand why an application requires them.
  • Be wary of emails and SMS containing suspicious attachments that has incorrect sender addresses and weird URLs.
  • Update your devices with latest security patches from original manufacturer website or portal.
  • Stay away from unofficial app stores
References: 

https://thehackernews.com/2023/03/xenomorph-android-banking-trojan.html

https://www.hkcert.org/security-news

https://sigmacybersecurity.com/xenomorph-android-banking-trojan-returns-with-a-new-and-more-powerful-variant-unlock-the-secrets-of-financial-literacy-how-to-master-your-money/

https://malwaretips.com/threads/xenomorph-android-banking-trojan-returns-with-a-new-and-more-powerful-variant.121519/