A new variant of the Android banking trojan, called Xenomorph, has been discovered by the Hadoken Security Group. This updated version, dubbed “Xenomorph 3rd generation,” has new features that enable it to perform financial fraud in a seamless manner.
The malware is designed to target over 400 banking and financial institutions, including cryptocurrency wallets. The malware’s capabilities include an extensive runtime engine powered by Accessibility services and an ATS module that can launch and extract authenticator codes from the app.
The malware is also known to abuse Accessibility Services to perform fraud through overlay attacks.
Samples of the malware were detected by ThreatFabric, distributed via Discord’s Content Delivery Network, which has surged in popularity since 2020.
The malware is delivered through trojanized versions of legitimate apps via an APK binding service called Zombinder, which was advertised on the dark web. Targets of the latest campaign go beyond its European focus to include financial entities in Canada and Belgium. Xenomorph is capable of cookie-stealing functions that enable attackers to perform account takeover attacks.
According to ThreatFabric, the Xenomorph malware automates the entire fraud chain, from infection to funds exfiltration, making it one of the most advanced and dangerous Android Malware trojans currently in circulation.
Banks are moving away from SMS-based two-factor authentication to authenticator apps, which Xenomorph exploits by incorporating an ATS module that extracts the authenticator codes.
It also has the ability to complete fraudulent transactions on infected devices automatically. The dedicated website advertising Xenomorph’s features shows that the threat actor behind the operation has put a lot of effort into creating a sophisticated tool that can bypass security measures and perform financial fraud.