This super-dangerous Android malware has returned to target US shoppers and bankers
The infamous Xenomorph Android malware is back with new tools and ready to steal more than just money from unsuspecting victims, experts warn.
Cybersecurity researchers ThreatFabric, who have been monitoring the malware since early 2022, are currently running a new campaign targeting victims in the US, Canada, Spain, Italy, Portugal and Belgium.
The infection chain is similar to what we’ve seen in the past with Xenomorph: the attackers set up phishing pages, ‘warn’ victims that their Chrome browser needs to be updated, and then deliver the malicious APK to the endpoint.
New distribution mechanism
Those who take the bait and install the APK will get an advanced version of Xenomorph, which is capable of stealing money from numerous banks, as well as cryptocurrencies from various wallets.
The malware does this by overlaying legitimate apps, and this time Xenomorph comes with about a hundred different overlays. The app chooses the right overlay depending on the target group.
“This latest campaign also added many United States financial institutions, along with multiple crypto wallet applications, totaling over 100 different targets per sample, each using a specially crafted overlay to steal precious PII from the infected device of the victim,” the researchers said in their technical paper.
Xenomorph has undergone numerous changes over the years. The latest version comes with a number of new features, including a way to emulate legitimate apps, simulating a tap on the screen and ensuring the smartphone doesn’t turn off the screen by leaving active notifications on occasionally to stand.
The malware was first discovered in early 2022 when it was observed targeting users of 56 banks in Europe. At the time, it was distributed through Google Play and was downloaded more than 50,000 times. It has since been removed from Google’s repository and implemented via a dropper called “BugDrop”.
Through BleepingComputer