Threatfabric: New Xenomorph Trojan for Android Detected with Advanced Capabilities
A new variant of the banking Trojan for Android known as Xenomorph has been detected in the wild, according to a report by the IB-company Threatfabric. The updated version, called Xenomorph 3RD Generation, Hadoken SecUnce Group, has new functions, including an improved mechanism based on the Android special capabilities. Hackers use this mechanism to implement the Automated Transmission Service (ATS).
Xenomorph was initially discovered in February 2022, targeting 56 European banks using dropper applications available in the Google Play store. However, the latest iteration targets over 400 banking and financial institutions, including several cryptocurrency wallets. The detected samples are distributed through the Discord Content Delivery Network (CDN), according to Threatfabric. The discovered campaign has expanded from European companies to Belgian and Canadian financial organizations.
Zombinder Dropper application deploys Xenomorph V3, mimicking the currency converter, which loads the application for Google Play Protect as an update. The Zombinder application is developed using the Google Bound. The Xenomorph Trojan exploits the Android special capabilities service for overlay attack and can automatically complete fraudulent transactions on infected devices. The method, called Automated Transfer Systems (ATS), is included in the Xenomorph Trojan to run authenticator codes from the-assuperator applications since banks move from SMS for two-factor authentication (2FA) to authentic applications.
Xenomorph V3 has a cookie theft function, allowing hackers to take the account. Session cookies let a user support the open session in the browser without entering accounting information—stealing session cookie files give attackers access to the victim’s session. Thanks to new functions, Xenomorph can now automate the entire attack chain, from infection to theft of funds, making it one of the most advanced and dangerous trojans for Android.
The updated version of this banking Trojan has advanced capabilities compared to previous versions, which makes it an even greater concern for financial institutions and individuals alike. The need for continued cybersecurity awareness is critical in keeping users protected from such malicious attacks.