The cybercriminals behind a classy Android banking Trojan known as Xenomorph, who’ve been actively concentrating on customers in Europe for greater than a yr, not too long ago set their sights on prospects of greater than two dozen US banks.

Amongst these within the menace actor’s crosshairs are prospects of main monetary establishments comparable to Chase, Amex, Ally, Citi Cellular, Residents Financial institution, Financial institution of America, and Uncover Cellular. New samples of the malware analyzed by researchers at ThreatFabric confirmed that it additionally accommodates further options concentrating on a number of crypto wallets together with Bitcoin, Binance, and Coinbase.

Hundreds of Android Customers Affected

In a report this week, the Netherlands-based cybersecurity vendor mentioned 1000’s of Android customers in the USA and Spain since simply August have downloaded the malware on their techniques.

“Xenomorph, after months of hiatus, is again, and this time with distribution campaigns concentrating on some areas which were traditionally of curiosity for this household, like Spain or Canada, and including a big record of targets from the USA,” ThreatFabric mentioned. Customers of Android gadgets from Samsung and Xiaomi — which collectively maintain round 50% of Android market share — look like targets of particular curiosity for the menace actor.

Malware like Xenomorph spotlight the rising and more and more refined nature of cell threats, particularly for Android customers. A examine launched by Zimperium earlier this yr confirmed that menace actors are considerably extra involved in Android than iOS due to the upper variety of vulnerabilities which might be current within the Android surroundings. Zimperium discovered that Android app builders additionally are inclined to make extra errors when growing apps than iOS builders do.

For the second, adware and different doubtlessly undesirable purposes stay the highest menace for Android customers. However banking Trojans comparable to Xenomorph more and more imperil these gadgets. Within the first quarter of 2023 the share of banking Trojans as a proportion of all different cell threats elevated to just about 19% in comparison with 18% the earlier quarter. The extra notable amongst them included distant entry Trojans with capabilities for stealing banking info comparable to SpyNote.C, Hook, Malibot, and Triada.

Alien to Xenomorph

ThreatFabric was first reported on Xenomorph in February 2022 after recognizing the banking Trojan masquerading as legit apps and utilities on Google’s Play cell app retailer. One among them was “Quick Cleaner” an app that presupposed to take away muddle and optimize battery life, but additionally sought to steal credentials to accounts belonging to prospects of some 56 main European banks. Greater than 50,000 Android customers downloaded the app on their Android gadgets.

At the moment the malware was nonetheless below lively improvement. Its many options included these for harvesting system info, intercepting SMS messages, and enabling on-line account takeovers. The corporate assessed that the builders of Xenomorph had been doubtless the identical — or had some connection to — as those behind one other energy Android distant entry Trojan known as Alien.

Like different banking malware, Xenomorph contained overlays that spoofs the account login pages of all of the focused banks, the researchers discovered of their 2022 evaluation. So when an Android consumer with a compromised system tried to log into an account with any of the banks on the goal record, the malware mechanically displayed a spoofed model of that financial institution’s login web page for capturing usernames, passwords, and different account info. Xenomorph additionally supported options for intercepting and stealing two-factor authentication tokens despatched by way of SMS messages, giving the attackers a option to take over on-line accounts and steal funds from them.

Enter the brand new marketing campaign in August 2023: on this newest spherical, the menace actors seem to have switched their main malware distribution mechanism. As a substitute of smuggling Xenomorph into Google Play, the operators of the malware are actually distributing it by way of phishing Internet pages. In lots of circumstances, these pages have presupposed to be trusted Chrome browser replace websites and or Google Play retailer web sites.

One notable side about the latest model of Xenomorph is its refined and versatile Automated Switch System (ATS) framework for mechanically transferring funds from a compromised system to an attacker managed one. Xenomorph’s ATS engine accommodates a number of modules that permit the menace actor to take management of a compromised system and execute quite a lot of malicious actions.

These embody modules that permit the malware to grant itself all of the permissions it must run unhindered on a compromised system. Different options permit the malware to disable settings, dismiss safety alerts, cease system resets and system uninstalls, and stop sure privileges from being revoked. Many of those are capabilities that had been current in preliminary variations as effectively.

What’s new are capabilities that permit the malware to jot down to storage and to forestall a compromised system from slipping into “sleep” mode.

“Xenomorph maintains its standing as an especially harmful Android banking malware, that includes a really versatile and highly effective ATS engine, with a number of modules already created, with the concept of supporting a number of producer’s gadgets,” ThreatFabric mentioned.