[German]Security researchers from threadfabric.com have come across a new Android banking Trojan in February 2022, which is distributed via the Google Play Store and targets the customers of 56 European banks. An infected cleaner app was downloaded more than 50,000 times from the Play Store.
Advertising
Security researchers from threadfabric.com christened the Trojan Xenomorph. The name comes from its clear connection to another notorious banking Trojan, Alien, from which Xenomorph takes class names and interesting strings. According to the information gathered, users of 56 different European banks are among the targets of this new Android malware Trojan, which is distributed via the official Google Play Store and has more than 50,000 installations.
Fast Cleaner app infected
One of the Trojan-infected apps that ThreatFabric discovered posed as "Fast Cleaner." This is an app that promises to speed up the device by removing unused clutter and blockades for battery optimization.
The app itself is clean when uploaded to the Google Play Store, so it could be successfully posted to the store and then distributed. This is because more than 50,000 installations have been reported on Google Play. This is not unusual, as malware families like Vultur and Alien are spread through such apps. The malicious app loads the malware only after it is installed on the victim's smartphone.
During the analysis, security researchers found that this app contains a malicious routine that belongs to the Gymdrop dropper family. This is a dropper family that was discovered by ThreatFabric in November 2021. The dropper can then reload other malware to infect the smartphone. The security researchers first observed malware infections that belong to a new wave of ExobotCompact.D Trojans. Based on the configuration downloaded by the dropper, ThreatFabric was able to confirm that this dropper family continues to use this malware family as a payload. However, unlike before, the server hosting the malicious code also contained two other malware families that were also delivered instead of Alien due to certain triggers.
Advertising
This Android banking malware is still in the development phase and supports only the minimum features required for a modern Android banking Trojan. The app asks for advanced permissions upon installation and uses them to infect the device. The next step of the app after installation is to send back a list of installed packages on the compromised device so that the appropriate overlays can be reloaded.
This can already be used to steal login credentials and one-time passwords used to protect bank accounts. Like many other Android banking Trojans, this Trojan relies heavily on the overlay attack mechanism. The victim is supposed to be tricked into revealing personal information, which can then be used by criminals for fraud purposes. When the malware gains the access rights to the services it absolutely requests after launch, it automatically grants itself all the necessary permissions and then executes itself on the device unnoticed.
After that, the banking Trojan can intercept notifications, log text messages and use injections to perform overlay attacks. The list of overlay targets returned by Xenomorph includes banks from Spain, Portugal, Italy, and Belgium, as well as some general apps such as email services and cryptocurrency wallets. Threadfabrik has published a detailed analysis of this Trojan.
