CarderPlanet
Professional
New features have been added to the Trojan, which helped to clean out crypto wallets and bank customer accounts.
The cybercriminals behind a sophisticated Android banking Trojan called Xenomorph have been actively attacking users in Europe for more than a year and recently switched to customers of more than 20 US banks.
The main targets include clients of major financial institutions such as Chase, Amex, Ally, Citi Mobile, Citizens Bank, Bank of America, and Discover Mobile. The new malware samples analyzed by researchers at ThreatFabric also contain features that target several cryptocurrency wallets, including Bitcoin, Binance, and Coinbase.
According to a report by ThreatFabric, thousands of Android users in the US and Spain have downloaded malware to their devices since August. Users of Samsung and Xiaomi devices, which occupy about 50% of the Android market, are particularly at risk.
ThreatFabric first reported on Xenomorph in February 2022, detecting a Trojan masquerading as legitimate apps on Google Play. One of them was downloaded by more than 50,000 Android users.
In the latest campaign, which began in August 2023, attackers changed the main method of distributing malware. Xenomorph is now being distributed through phishing sites, many of which are posing as Chrome or Google Play update sites.
Fake Update Page
A feature of the latest version of Xenomorph is a complex and flexible automatic Transfer System (ATS), which allows you to automatically transfer funds from an infected device to an attacker's device.
The ATS mechanism contains several modules that allow a hacker to take control of a compromised device and perform various malicious actions. Among the modules, there are those that allow malware to grant itself all the permissions necessary for smooth operation on the compromised device.
Other features allow malware to disable settings, reject security warnings, stop rebooting and deleting devices, and prevent certain privileges from being revoked. Many of these features were also present in the original versions.
The new version of Xenomorph also adds features that allow malware to write data to storage and prevent a compromised device from entering sleep mode.
ThreatFabric security researchers concluded that Xenomorph retains its status as an extremely dangerous banking malware for Android, with a very versatile and powerful ATS engine, with several modules already built, and support for devices from multiple manufacturers.
Xenomorph was first reported in February 2022. It targeted 56 European banks using dropper apps that were published in the Google Play Store. The penultimate iteration of Xenomorph was designed for more than 400 banking and financial institutions, including several cryptocurrency wallets, and also had new options. Thanks to them , Xenomorph can fully automate the entire attack chain, from infection to theft of funds, which makes it one of the most advanced and dangerous malicious Trojans for Android.
The cybercriminals behind a sophisticated Android banking Trojan called Xenomorph have been actively attacking users in Europe for more than a year and recently switched to customers of more than 20 US banks.
The main targets include clients of major financial institutions such as Chase, Amex, Ally, Citi Mobile, Citizens Bank, Bank of America, and Discover Mobile. The new malware samples analyzed by researchers at ThreatFabric also contain features that target several cryptocurrency wallets, including Bitcoin, Binance, and Coinbase.
According to a report by ThreatFabric, thousands of Android users in the US and Spain have downloaded malware to their devices since August. Users of Samsung and Xiaomi devices, which occupy about 50% of the Android market, are particularly at risk.
ThreatFabric first reported on Xenomorph in February 2022, detecting a Trojan masquerading as legitimate apps on Google Play. One of them was downloaded by more than 50,000 Android users.
In the latest campaign, which began in August 2023, attackers changed the main method of distributing malware. Xenomorph is now being distributed through phishing sites, many of which are posing as Chrome or Google Play update sites.
Fake Update Page
A feature of the latest version of Xenomorph is a complex and flexible automatic Transfer System (ATS), which allows you to automatically transfer funds from an infected device to an attacker's device.
The ATS mechanism contains several modules that allow a hacker to take control of a compromised device and perform various malicious actions. Among the modules, there are those that allow malware to grant itself all the permissions necessary for smooth operation on the compromised device.
Other features allow malware to disable settings, reject security warnings, stop rebooting and deleting devices, and prevent certain privileges from being revoked. Many of these features were also present in the original versions.
The new version of Xenomorph also adds features that allow malware to write data to storage and prevent a compromised device from entering sleep mode.
ThreatFabric security researchers concluded that Xenomorph retains its status as an extremely dangerous banking malware for Android, with a very versatile and powerful ATS engine, with several modules already built, and support for devices from multiple manufacturers.
Xenomorph was first reported in February 2022. It targeted 56 European banks using dropper apps that were published in the Google Play Store. The penultimate iteration of Xenomorph was designed for more than 400 banking and financial institutions, including several cryptocurrency wallets, and also had new options. Thanks to them , Xenomorph can fully automate the entire attack chain, from infection to theft of funds, which makes it one of the most advanced and dangerous malicious Trojans for Android.
