50,000 Xenomorph banking trojans installed from Google Play

Specializing in the fight against bank fraud, ThreatFabric has detected a banking trojan called Xenomorph on Google’s online application store. The malware hides in malicious applications including one called Fast Cleaner.

Online application stores are a fertile ground for hackers who manage to place malicious applications containing malware. Latest example: the Xenomorph banking trojan discovered by ThreatFabric, which specializes in the fight against bank fraud. If the link with a previous malicious software called Alien seems obvious, it is in fact much more dangerous. Moreover, according to the analysis of its code, not all of its functionalities are implemented yet. While Google is stepping up measures to prevent the appearance of infected apps on its store, it is clear that there are still holes in the racket.

One of the booby-trapped applications containing Xenomorph is a fake data cleaning tool, Fast Cleaner. Already installed 50,000 times, it endangers users who have applications from 56 European banks (Spain, Portugal, Italy and Belgium), cryptocurrency wallets or messaging services in their mobiles. Belonging to the family of droppers (Gymdrop) already identified to distribute the Alien.A payload, this type of malicious application leads to overlay attacks to steal bank identifiers and combines with the interception of SMS and notifications exploiting tokens 2FA. “The accessibility engine that powers this malware, as well as the command and control infrastructure and protocol, are carefully designed to be scalable and updatable,” ThreatFabric warns.


False connection screen to a banking application following the installation of an application embedded by Xenomorph. (Credit: ThreatFabric)

Fake login screens to steal bank details

“Once the malware is up and running on an endpoint, its background services receive reachability events whenever something new happens on it. if the open application is part of the target list, then Xenomorph will trigger an overlay injection and display a WebView activity impersonating the targeted package,” ThreatFabric continues. Concretely, this can thus take the form of false connection screens to his banking application encouraging the victim to enter his bank identifiers or even bank card (number, name and CVV).

The user must therefore more than ever be on the alert when a notification asks the user to grant full control over the terminal and this is precisely what happens with Fast Cleaner. Common sense therefore requires a step back from this situation: why give so many rights to an application? If accepted, a well-established hacking scenario takes place, but it can sometimes be avoided with a good dose of vigilance.

Leave a Comment