The Xenomorph Android malware has released a new version that adds significant capabilities to conduct malicious attacks, including a new automated transfer system (ATS) framework and the ability to steal credentials for 400 banks. Xenomorph was first spotted by ThreatFabric in February 2022, which discovered the first version of the banking trojan on the Google Play store, where it amassed over 50,000 downloads. That first version targeted 56 European banks using injections for overlay attacks and abused Accessibility Services permissions to perform notification interception to steal one-time codes. Development of the malware continued throughout 2022 by its authors, “Hadoken Security,” but its newer releases were never distributed in high volumes. Instead, Xenomorph v2, which was released in June 2022, only had short bursts of testing activity in the wild. However, the second version was notable for its complete code overhaul, which made it more modular and flexible.
Xenomorph v3 is far more capable and mature than the previous versions. It is able to automatically steal data, including credentials, and view account balances, perform banking transactions, and finalize fund transfers. “With these new features, Xenomorph is now able to completely automate the whole fraud chain, from infection to funds exfiltration, making it one of the most advanced and dangerous Android Malware trojans in circulation,” warns ThreatFabric. ThreatFabric reports that it’s likely Hadoken plans to sell Xenomorph to operators via a MaaS (Malware-as-a-Service) platform, and the launch of a website promoting the new version of the malware strengthens this hypothesis. Currently, Xenomorph v3 is being distributed via the ‘Zombinder’ platform on the Google Play store, posing as a currency converter and switching to using a Play Protect icon after installing the malicious payload. Some examples of targeted institutions include Chase, Citibank, American Express, ING, HSBC, Deutsche Bank, Wells Fargo, Amex, Citi, BNP, UniCredit, National Bank of Canada, BBVA, Santander, and Caixa. Moreover, the malware targets 13 cryptocurrency wallets, including Binance, BitPay, KuCoin, Gemini, and Coinbase.
The most notable feature introduced in the new Xenomorph version is the ATS framework. “The [ATS execution] engine used by Xenomorph stands out from its competition thanks to the extensive selection of possible actions that are programmable and can be included in ATS scripts, in addition to a system that allows for conditional execution and action prioritization,” explains ThreatFabrics researchers. One of the most impressive capabilities of the malware’s ATS framework is its ability to log the content of third-party authentication applications, beating MFA (multi-factor authentication) protections that would otherwise block automated transactions.