Xenomorph Banking Trojan: A New Variant Targeting 35+ U.S. Financial Institutions

Cyber Security Threat Summary:
An updated version of an Android banking trojan called Xenomorph has set its sights on more than 35 financial institutions in the U.S. The campaign, according to Dutch security firm ThreatFabric, leverages phishing web pages that are designed to entice victims into installing malicious Android apps that target a broader list of apps than its predecessors. Some of the other targeted prominent countries targeted comprise Spain, Canada, Italy, and Belgium. ‘This new list adds dozens of new overlays for institutions from the United States, Portugal, and multiple crypto wallets, following a trend that has been consistent amongst all banking malware families in the last year,’ the company said in an analysis published Monday. Some of the new capabilities added to the latest versions of Xenomorph include an "antisleep" feature that prevents the phone's screen from turning off by creating an active push notification, an option to simulate a simple touch at a specific screen coordinate, and impersonate another app using a "mimic" feature.” (The Hacker News, 2023).

Security Officer Comments:
Xenomorph emerged in 2022 and has undergone several updates since then. Just last March, a new iteration was spotted with a new feature, dubbed Hadoken, to conduct fraud using what is referred to as an Automatic Transfer System (ATS). Using this system, the banking trojan can automatically extract credentials, access account balance information, initiate transactions, obtain MFA tokens from authenticator apps, and perform fund transfers, all without the need for any human intervention. According to researchers, the threat actors behind Xenomorph are now putting more effort into creating modules that support Samsung and Xiaomi. With these devices making up roughly 50% of the Android market, the actors are looking to expand their list of potential victims.

Suggested Correction(s):
Users should take caution when downloading applications online as the banking trojan has masqueraded as legitimate apps and utilities on the Google Play store to infect users. More recently, researchers have noted that the Xenomorph is also being distributed via counterfeit sites offering Chrome browser updates. Sites like these should be seen as a red flag and avoided, as Google does not offer security updates on third-party sites. Rather updates for Chrome are built into the browser and can be applied by going to browser settings.