New Android banking trojan spreads via Google Play Store and targets Europeans

A new Android banking trojan with over 50,000 installations has been observed being distributed via the official Google Play Store with the aim of targeting 56 European banks and harvesting sensitive information from compromised devices.

Dubbed Xenomorph by Dutch security firm ThreatFabric, the malware in development is said to share overlaps with another banking Trojan tracked under the name Alien while being “drastically different” from its predecessor in terms of features offered.

“While a work in progress, Xenomorph already sports effective overlays and is actively distributed on official app stores,” said ThreatFabric Founder and CEO Han Sahin. “Furthermore, it has a very detailed and modular engine for abusing accessibility services, which in the future could power very advanced capabilities, like ATS.”

Automatic GitHub backups

Alien, a remote access trojan (RAT) with notification detection and authentication-based 2FA theft features, emerged shortly after the infamous Cerberus malware disappeared in August 2020. Since then, d other Cerberus forks have been spotted in the wild, including ERMAC in September 2021.

Xenomorph, like Alien and ERMAC, is another example of an Android banking Trojan that focuses on circumventing Google Play Store security protections by impersonating productivity apps such as “Fast Cleaner” to trick victims into oblivious to installing the malware.

Android Banking Trojan

It’s worth noting that a fitness workout dropper app with over 10,000 installs – dubbed GymDrop – was found in November masking it as a “new workout exercise bundle”.

Fast Cleaner, which goes by the package name “” and continues to be available on the App Store, was most popular in Portugal and Spain, according to data from the information company on the Sensor Tower mobile app market, with the app making its first appearance on the Play Store around the end of January 2022.

Additionally, user reviews of the app warned that “this app contains malware” and that it “asks[s] for an update to be confirmed all the time.” Another user said, “It puts malware on the device and apart from that it has a self-protection system so you can’t uninstall it.”

Prevent data breaches

Xenomorph also uses the tried-and-true tactic of tricking victims into granting it Accessibility Service privileges and abusing permissions to carry out overlay attacks, in which the malware injects malicious overlay screens onto targeted computer apps. Spain, Portugal, Italy and Belgium. to siphon credentials and other personal information.

In addition, it is equipped with a notification interception function to extract two-factor authentication tokens received by SMS and obtain the list of installed applications, the results of which are exfiltrated to a remote command and control server. .

“The appearance of Xenomorph shows, once again, that threat actors are focusing their attention on landing apps on official markets,” the researchers said. “Modern banking malware is evolving at a very rapid pace and criminals are beginning to adopt more refined development practices to support future updates.”

Lance B. Holton