While digging through the Google Play online store, security researchers at ThreatFabric were lucky enough to detect a brand new banking Trojan. It was distributed as a utility application called “Fast Cleaner”, which promised to improve the performance of an Android smartphone and which more than 50,000 users have installed.
Also see video:
The malware has been dubbed “Xenomorph”, after Ridley Scott’s alien monster Alien, which also gave the name to a previous banking Trojan. Several technical clues indeed seem to attest that it is the same group of pirates who hides behind Alien and Xenomorph.
At present, the latter is still at an early stage, since a lot of functions are mentioned in the code, but are not yet implemented. The most important modules, on the other hand, already exist. Upon installation, Xenomorph requests accessibility rights, which allows it to implement overlay screen attacks. It’s a fairly standard technique. When the malware detects the opening of a targeted banking app, it generates a screen that is placed over its graphical interface, in order to intercept the identifiers.
Xenomorph is also able to intercept text messages and notifications, which can be useful for bypassing strong authentication mechanisms. All instructions are received by command and control servers which, to manage these communications, rely on the open source (and perfectly legal) Retrofit2 project. The malware targeted 56 banking institutions in four European countries (Belgium, Spain, Portugal, Italy), as well as a dozen more general applications (messaging, crypto wallet, etc.). Modular in design, Xenomorph is likely to gain functionality and become a high-performance Trojan horse.