Site icon TechNewsBoy.com

Newly-discovered Android malware steals banking app login credentials

Earlier this month, security researchers at ThreatFabric discovered a dangerous new trojan. They dubbed it Xenomorph due to its ties with the Alien malware, which started to make the rounds in fall of 2020. But while the code resembles that of Alien, the Xenomorph malware is far more capable. According to ThreatFabric, more than 50,000 Android users have installed a malicious application containing the banking app malware. The threat actors behind the malware are reportedly targeting users of 56 different banks in Europe.

Xenomorph banking app malware discovered

As ThreatFabric notes, hackers are always finding new ways to distribute malicious software through the Google Play store. Google is fighting back, but determined hackers always seem to be one step ahead. One recent, nefarious example was the Fast Cleaner app. It claimed to be capable of speeding up Android phones by removing clutter. But in reality, Fast Cleaner was a dropper for the Xenomorph banking app malware.

Here’s what ThreatFabric found after analyzing the application:

Upon analysis, we recognized this application as belonging to the Gymdrop dropper family. Gymdrop is a dropper family discovered by ThreatFabric in November 2021. Previously it was observed deploying a Alien.A payload. From the configuration downloaded by the dropper, ThreatFabric was able to confirm that this dropper family continues to adopt this malware family as its payload. However, contrary to the past, the server hosting the malicious code also contained two other malware families, which were also returned instead of Alien, based on specific triggers.

In addition to distributing the Alien and Exobot trojans, the app also contained a brand new malware family. And that’s how ThreatFabric first discovered Xenomorph.

A comprehensive list of the Xenomorph banking app malware’s capabilities. Image source: ThreatFabric

What can Xenomorph do?

ThreatFabric says Xenomorph is still under development, but is already capable of wreaking havoc. The malware’s primary goal is to use an overlay attack to steal credentials for banking apps. It can also intercept texts and notifications to log and use 2FA tokens. ThreatFabric also notes that Xenomorph is designed to be “scalable and updatable.”

“The information stored by the logging capability of this malware is very extensive,” security researchers from ThreatFabric warn in their article, “and if sent back to the C2 server, could be used to implement keylogging, as well as collecting behavioural data on victims and on installed applications, even if they are not part of the list of targets.”

As with most other banking app malware, Xenomorph depends on users giving it access to their devices. Once it infects a device, the malware will ask for Accessibility Service privileges. If it gains those privileges, it can “log everything that happens on the device.”

So far, the malware has targeted users in Spain, Portugal, Italy, and Belgium. Even though it’s still in early stages of development, researchers say it has plenty of untapped potential. Currently, “Xenomorph is capable of abusing Accessibility Services to steal [personal identifiable information] from unaware victims, prevent uninstallation and intercept SMS and notifications.” In the future, it could become even more dangerous.

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – abuse@technewsboy.com. The content will be deleted within 24 hours.
Exit mobile version