Besides the name of the creature that “stars” in the Alien movies by 20thCentury Fox, Xenomorph is also the name given to an Android banking Trojan. Researchersfound this banking Trojan to be distributed on the official Google Play Store, with more than 50,000 installations.
The researchers dubbed this malware Xenomorph because it shows similarities to another banking Trojan that is generally known as Alien.
Fast Cleaner
The researchers found the dropper for the Xenomorph banking Trojan on the Google Play Store under the name Fast Cleaner, pretending to be an application aimed at speeding up the device by removing unused clutter and removing battery optimization blocks. In reality this application was a Trojan dropperwhich contacted a remote server and downloaded one of several payloads based on certain parameters. One of these payloads was the banking Trojan Xenomorph.
To avoid early detection or being denied access to the Play Store these malicious dropper apps are distributed before the malware is placed on the remote server. This makes it hard for Google to determine that such an app has an ulterior motive and gives the threat actor the opportunity to distribute the dropper. The Fast Cleaner app has now been removed from the Play Store but not before it was downloaded more than 50,000 times.
Xenomorph
Xenomorph was recognized as a new malware closely related to the Alien banking Trojans, which was one of the other possible payloads. The main task of these banking Trojans is to steal credentials, combined with the use of SMS and Notification interception to log and use potential 2FA tokens.
It does this by mimicking legitimate banking apps. It opens a copy of the original interface of the legitimate banking app and this overlay sends entered data like usernames and passwords to the threat actor. To replace the legitimate banking apps the Trojan needs Accessiblity Services privileges, which it insistently requests after being started. Once it obtains these privileges, it will automatically grant itself all the required permissions and then silently execute on the device.
Under construction
The researchers found many commands and placeholders for future features of the banking Trojan which seems to indicate that this is a project that is still being worked on. The design is modular and contains modules for each specific action required by the bot, and can easily be extended to support more functionality.
Another indicator for the development stage lies in the information the Trojan logs and sends to the C2 server. This includes information that could be used to implement keylogging, as well as collecting behavioral data on victims and on installed applications, even if they are not part of the list of targets—yet. The malware is capable of abusing the Accessibility Services to log everything that happens on the device. It would only require a minor modification to add keylogging and Accessibility logging capabilities to the malware.
Targets
One of the parameters in deciding which malware to download to the affected device is whether the user of the device meets the target requirements for Xenomorph. The list of overlay targets returned by Xenomorph includes banking apps from Spain, Portugal, Italy, and Belgium, as well as some general purpose applications like emailing services, and cryptocurrency wallets.
Based on the list of installed packages on the affected device, and based on what targeted application is present on the device, it downloads the corresponding overlays to inject. So, once more overlays get developed, the list of targets is likely to be expanded.
IOCs
Domains:
- simpleyo5.tk Main C2
- simpleyo5.cf Backup C2
- art12sec.ga Backup C2
- kart12sec.gq Backup C2
- homeandofficedeal.com Overlay C2
Package names Fast Cleaner:
- com.census.turkey
- com.laundry.vessel
- com.tip.equip
- com.spike.old
Malwarebytes
Malwarebytes web protection module blocks the C2 servers and Malwarebytes for Androiddetects Xenomorph as Android/Trojan.Dropper.Xeno.
Stay safe, everyone!