March 13 (Portaltic/EP) –
A team of researchers has detected a new version of the Xenomorph malware, a malicious ‘software’ for Android that allows the automation of bank transfers and that is aimed at more than 400 banking institutions.
In February 2022, the cybersecurity company ThreatFabric discovered this banking Trojan for Android, which acquired the name Xenomorph because it was linked to another similar banking Trojan, Alien, with whom shared certain characteristics.
Based on the activity record of this ‘malware’, the company concluded that this variant, distributed by GymDrop, addressed 56 European banks different –including some Spanish ones– and that had been installed some 50,000 times through the Google Play Store.
The company has announced rrecently that, after analyzing the activity of this Trojan, has seen “a sea change” in their behavior, as cybercriminals have begun to cater more to the world of mobile banking.
ThreatFabric recalled that Xenomorph “has always been characterized by short distribution efforts” and that its activity suggested that cybercriminals “opposed to a real large-scale distribution with fraudulent intent.”
However, a third variant of this ‘malware’ family has been accessed, Xenomorph V3 or C, capable of completely automating the entire chain of fraud, from infection to exfiltration of funds, “which makes it one of the most advanced and dangerous Android ‘malware’ trojans in circulation.”
Specifically, this variant of the Trojan could affect more than 400 banking and financial institutions around the world, including cryptocurrency walletswith an increase of more than six times over its previous variants.
This is implemented by Zombinder, an app linked to a legitimate currency converter that downloads a fake ‘app’ posing as the Google Protect device security service and installs itself to execute malicious payload.
According to the company, cybercriminals have equipped this ‘malware’ with support for an Automated Transfer Systems (ATS) framework that uses the so-called starting capacitor (RUM).
Thus, the ATS is used to define a set of features that allow attackers to complete fraudulent financial transactions on infected devices; can automatically extract login credentials, know the balance of the accounts or obtain tokens without the need to be in contact with an operator.
The company has commented that this Trojan can easily extract the required Personally Identifiable Information (PII) and use it to carry out criminal activities. With this, he recalled that banks are abandoning the use of SMS to perform multi-factor authentication (MFA) and that Authenticator applications are being implemented instead.
Hence, cybercriminals have created an ATS module to collect data every time the ‘malware’ start authenticator app and uses flexible trigger conditions, so attackers can design different access scenarios and increase the effectiveness of each attack.
Thus, Xenomorph presents a script to extract information from the accounts to which it has access, such as complete a fraudulent transaction. Also, the latest version of this Trojan has developed a new ability to steal ‘cookies’.
These elements allow users to keep sessions open in their browsers without having to enter their credentials again. In this way, once it is in the hands of cybercriminals, they can freely access the websites of the victims.
Finally, ThreatFabric has highlighted that it has discovered a website dedicated to advertising this ‘malware’ for Android, “which indicates that it has clear intentions to enter the ‘malware’ scene as a Service (MaaS),” according to a statement.