Xenomorph is a banking trojan that was distributed on the Google Play app store, billed as a “Fast Cleaner” app. More than 50,000 users downloaded Xenomorph. Xenomorph employs many common trojan tactics, such as stealing SMS messages, intercepting notifications, bypassing two-factor authentication, and using overlay attacks to steal credentials.
Xenomorph was discovered in February 2022 and is believed to be authored by an actor group called “ring0.” RingO was also the author of another trojan known as Alien, and Xenomorph shares many similarities with this trojan. Victims reside in Belgium, Italy, Portugal, and Spain, and 29 banking apps have been compromised.
In addition to the common tactics used, Xenomorph employs other novel capabilities:
- The trojan acts as a dropper for additional malware apps on the device.
- Abused accessibility services to log activities and send logs to the command and control.
Threats Posed by Xenomorph to Mobile Banking Apps
- Data Theft: Xenomorph is designed to steal sensitive information from the user’s device. This theft includes login credentials for banking apps, credit card information, and personal identification details.
- Keylogging: The trojan can capture keystrokes, recording everything the user types on their device. This information includes usernames, passwords, PINs, and other sensitive data entered into mobile banking apps.
- SMS Intercept: Xenomorph can intercept SMS messages on the infected device. Intercepted messages could include one-time passwords (OTPs) and transaction verification codes sent by mobile banking apps, potentially allowing attackers to bypass two-factor authentication.
- Overlay Attacks: Xenomorph can employ overlay attacks, displaying fake login screens that mimic legitimate mobile banking apps. Users may unwittingly enter their credentials into these deceptive interfaces, which are then captured by the trojan.
- Device Information Theft: Xenomorph can gather device-specific information, such as device identifiers, phone numbers, and operating system details. This information may be used for tracking and profiling users.
- Remote Control: The trojan connects to the attackers’ command and control (C2) server. This connection enables remote control of the infected device, allowing attackers to execute various commands, including unauthorized transactions.
Mitigating the Threat of Xenomorph
To protect your mobile banking app and its users from the Xenomorph banking trojan and similar threats, consider implementing the following security measures:
- Regular Updates: Keep your mobile banking app and its dependencies up-to-date with the latest security patches and enhancements to address known vulnerabilities.
- User Education: Educate users about the importance of downloading the official app from trusted sources, avoiding suspicious links or downloads, and being cautious with app permissions.
- Multi-factor Authentication (MFA): Encourage users to enable MFA for their accounts to add an extra layer of security.
- Real-time Monitoring: Implement real-time monitoring to detect and respond to suspicious activities within your app and network traffic.
- Secure Coding: Follow secure coding practices to prevent vulnerabilities in your app’s code, including input validation, data encryption, and secure API communication.
- Third-party Library Review: Carefully review and vet third-party libraries or components used in your app for potential security risks.
- Collaborate with Security Experts: Work with cybersecurity experts to conduct security assessments, code reviews, and penetration testing to identify and address your app’s security weaknesses.
- Incident Response Plan: Develop an incident response plan to respond to security incidents or breaches effectively.
By taking these precautions, you can help safeguard your mobile banking app and protect your users from the threats posed by the Xenomorph banking trojan and other evolving malware.
Learn More about Banking Trojan Families
Xenomorph is one of the principal families of banking trojans threatening mobile banking and financial apps. Learn more about other prominent banking trojan families:
- BianLian
- Cabassous
- Coper
- EventBot
- ExobotCompact.D
- Octo
- FluBot
- Medusa Trojan
- SharkBot
- TeaBot
- Zbot
- Svpeng
- Marcher
- Anubis
- Ginp
- Cerberus Trojan
- BankBot
- Emotet