More than 50 thousand downloads and “support” for more than 400 banks from all over the world, as well as cryptocurrency and fintech wallets. It could be the data of a good financial solution, but they are the numbers related to Xenomorph, a highly modular banking malware that, in its most recent version, reaches the main institutions around the world, including the main names in the sector in Brazil.
Banks like Bradesco, Itaú, Santander and Caixa appear among the more than 400 institutions reached by Xenomorph, which has countries like Spain, Turkey, Poland, the United States and Australia as its five biggest targets. In addition, organizations around the world include cryptocurrency companies such as Binance, Gemini, Coinbase and BitPay.
The plague that hits the Android operating system is in its third and most advanced version, being distributed from fraudulent applications on the Google Play Store. According to information from the cybersecurity company ThreatFabric, the focus of the threat’s developers, in addition to the financial profit from the sale of malware as a service in cybercriminal forums, is the automation of the entire chain of financial fraud, from the contamination of smartphones to the theft of credentials and embezzlement of customer funds.
Like most threats against the platform, Xenomorph operates by abusing Android Accessibility Services, through which it is able to display overlay screens and obtain authentication codes in notifications. The so-called third generation of malware continues to spread from the Google Play store in the form of a cryptocurrency converter, but once installed on the system, it changes its icon to that of the Play Protect service, from Google itself, as a way to keep his most hidden presence.
What most caught the attention of ThreatFabric specialists, however, was the autonomous operation of the new version of Xenomorph, with the malware operator simply having to send scripts with lists of actions for the malware to do everything independently. Such actions are possible from a framework made available by the gang responsible for Xenomorph, the so-called Hadoken Group, which no longer requires that those responsible for the attack send specific remote commands for each attack to be carried out.
In addition, another offensive highlight is the possibility of registering two-step authentication codes generated by applications, a measure that maintains the effectiveness of scams in the face of the abandonment of SMS as a means of verification by financial institutions. Meanwhile, an action prioritization and conditioning system ensures even more stealth, allowing criminal acts to happen, for example, only at specific times or when the user is not using the cell phone.
With websites and publications promoting the malware and a mass distribution of attacks after testing stages, ThreatFabric considers Xenomorph a threat to be reckoned with in the Android ecosystem. It was already seen as such a year ago, when it was first detected, and with the advancement of both capabilities, it should become an even greater danger to users.
Therefore, the recommendation is to be careful when downloading applications, even if they come from the Google Play store. Keep an eye out for comments and available download totals, preferring solutions that are recognized, from certified and popular companies, over software recently released by developers with few or no options available in the marketplace. Researching before downloading usually helps to separate legitimate applications from fraudulent ones.
Source: ThreatFabric
