Researchers have uncovered a new distribution campaign for the Xenomorph malware, focusing on Android users in the United States, Canada, Spain, Italy, Portugal, and Belgium.
The cybersecurity firm’s analysts at ThreatFabric have been monitoring Xenomorph activity since February 2022. However, this new campaign emerged in August of this year.
The most recent iteration of Xenomorph specifically targets users with cryptocurrency wallets and customers of various financial institutions in the US and other regions.
Xenomorph Android malware
Xenomorph initially surfaced in early 2022, operating as a banking trojan that employed screen overlay phishing techniques to target 56 European banks. It was distributed through Google Play, and the malicious app managed to amass over 50,000 installations.
The creators, a team known as “Hadoken Security,” have persisted in advancing their malware. In June 2022, they introduced a new version that enhanced the malware’s modularity and flexibility.
By August 2022, ThreatFabric had reported that Xenomorph was being disseminated through a fresh dropper called “BugDrop,” adept at circumventing security measures in Android 13.
In December 2022, these analysts reported on a novel malware distribution platform known as “Zombinder.” This platform concealed the threat within legitimate APK files of Android apps.
Just a few months ago, in March 2023, a third major iteration of Xenomorph came to light, boasting an automated transfer system (ATS) capable of conducting autonomous transactions on the device.
This version could bypass Multi-Factor Authentication (MFA), pilfer cookies, and had the capacity to target over 400 banks.
Xenomorph Android malware: New campaign
In the latest campaign that commenced in August 2023, the operators of the Xenomorph Android malware opted to employ phishing pages. They enticed visitors to update their Chrome browser on mobile devices, with the goal of tricking them into downloading the malicious APK.
As per the researchers, the malware still relies on overlays to steal information. However, it has broadened its scope to encompass banks in the United States and multiple cryptocurrency apps.
ThreatFabric explains that each Xenomorph sample is loaded with about a hundred overlays that target different sets of banks and crypto apps, depending on the target demographic.
While the new Xenomorph specimens don’t exhibit significant differences from previous variants, they do introduce some new features.
One of these features is “mimic,” which can be activated using a specific command. This enables the malware to emulate the behavior of any other application.
This feature also includes another built-in function known as “IDLEActivity,” which functions as a WebView to display genuine web content from within a trusted process.
Consequently, there is no requirement to conceal icons from the launcher after installation, a behavior that is typically flagged as suspicious by most security tools.
Another new feature is “ClickOnPoint,” enabling Xenomorph Android malware operators to simulate taps at precise screen coordinates, simplifying tasks without invoking the full ATS module, which could trigger security warnings.
Additionally, there’s a new “antisleep” system preventing the device’s screen from turning off. This helps maintain uninterrupted command and control communications, preventing the need for restoration after outages.
ThreatFabric security researchers managed to access the attackers’ payload hosting infrastructure and uncovered additional malicious payloads alongside the Xenomorph Android malware. Among these discoveries were upcoming Android variants of Jellyfish, as well as the Cabassous malware, Windows information stealers known as RisePro and LummaC2, and the Private Loader malware loader.
These findings highlight the need for vigilant caution when receiving notifications on mobile devices that suggest browser updates, as they are frequently components of malware distribution campaigns.
Android malware like Xenomorph remains a persistent threat to mobile devices. As security evolves, attackers continually seek new avenues to breach these systems. Staying informed, using antivirus protection, keeping apps and the OS updated, and exercising caution with web content and messages are vital safeguards.