Xenomorph Android Malware Attacks 400 Banks Customers

As per the latest findings of ThreatFabric, a version of the Android banking trojan with the name Xenomorph has been discovered in the wild as a new variant of the trojan.

Mobile banking has been gaining a lot of attention from criminals recently as many have abandoned rudimentary approaches in favor of a more refined and professional approach to the world of mobile banking.

This week, a new version of the Android malware called Xenomorph has been released, which contains a number of significant new features that can be used to conduct malicious attacks on Android devices in order to gain control of them.

Aside from this, it also has the ability to steal credentials for 400 banks, as well as the capability to automate the transfer of funds between banks.

Distribution of Android Malware

Consequently, users should be cautious when installing apps from the Google Play store as a result of the threats they face. Users should read the reviews and run background checks on the publishers before installing an app from Google Play.

ThreatFabric was also able to identify some samples related to test campaigns as a result of its detection capabilities. 

These samples appear to have been obtained using third-party hosting services, specifically Discord Content Delivery Network (CDN), which have been used to abuse the distribution of the samples.

GymDrop began distributing Xenomorph to its customers in February of 2022, and the first variants were distributed to them in the month of March. Later in the year, Hadoken decided to switch distribution mediums, trying the first BugDrop before settling on Zombinder.

New Targets of Xenomorph

In the past few years, Xenomorph has been using overlay attacks as a means of collecting PII, such as passwords and usernames, since its first appearance.

A MaaS campaign with Android Banking malware may have different targets, depending on the threat actor(s) managing it and the malware variant.

The Xenomorphs, which maintained a relatively stable configuration throughout the year 2022, specifically targeted Spain, Portugal, and Italy during their attack in 2022.

It is also worth mentioning that several cryptocurrency wallets have also been introduced with the most recent campaigns, along with Belgian and Canadian institutions as well.


A few of the new features that have been added to this attack make it different from the previous one in several ways. After the recent attack, the experts have concluded that the previous attack didn’t have a lot of features as compared to the recent attack, so the previous attack was lacking a lot of new features.

In this section, you will find a list of all the updated capabilities that the threat actors have introduced in the new attack they have launched.

  • app_start: Start Specified Application
  • show_push: Show Push notification
  • cookies_handler: Obtain Cookies
  • send_sms: Send SMS
  • make_ussd: Run USSD Code
  • call_forward: Forward Call
  • execute_rum: Run ATS Module

In order to exploit the move by banks to implement authenticator apps instead of SMS for two-factor authentication (2FA), the Xenomorph trojan incorporates an ATS module that allows it to launch the app and extract the authenticator codes from the app.

Cookie stealer capabilities have also been added to Xenomorph’s arsenal of weapons, which already boasts a wide range of capabilities. 

The best way to ensure that your phone is secure is to keep the number of apps running on it as low as possible and only install apps from trusted and known vendors.

Network Security Checklist – Download Free E-Book

Source: gbhackers.com