EXECUTIVE SUMMARY:
This Android malware could be coming to a phone near you, and it’s after your bank account information. Discover how this malware behaves, who it affects, what’s next and how to keep your phone malware free.
Xenomorph malware appears
This new malware known as “Xenomorph” targets customers of financial institutions in Spain, Portugal, Italy and Belgium. Thus far, the malware has made its way onto more than 50,000 Android devices. Once loaded onto a device, Xenomorph steals banking information, takes over bank accounts, performs unauthorized transactions, and facilitates the solicitation of stolen data to dark web buyers.
Xenomorph malware on apps
This malware snuck into the Google Play Store via generic performance-boosting applications. In other words, it hitches a ride with applications that promise to clean Android phones or to generally improve Android functionality.
These kinds of performance-boosting Android tools are always popular. As a result, packing malware into performance-boosting applications is an easy and effective way for hackers to widely distribute malware within a short period of time.
Xenomorph malware operation
The malware uses a trick to neatly circumvent Google’s security features. In more technical detail, to prevent rejection during the Google Play Store’s app review process, performance-boosting apps obtain the malware payload after app installation, making it so that the app is clean when submitted to Google.
Xenomorph malware code
Experts have classified Xenomorph malware as a member of the “Gymdrop” dropper family, which was first discovered in November of 2021, and seen pushing payloads that imitated Google Play, Chrome and Bitcoin management applications.
The code supporting Xenomorph malware appears similar to the code within the Alien banking malware (and yes, that’s really the name of the malware). Experts suggest that the two threats are related – Alien may be the early ancestor of Xenomorph. It’s also possible that a developer is building and evolving both malware types simultaneously.
Xenomorph malware capabilities
Xenomorph remains under continued hacker development. Nonetheless, the infostealing and takeover components of the malware continue to represent a significant threat, as the software is targeting 56 different European banks at present.
The malware is capable of intercepting notifications, logging SMSs, and leveraging injections to perform overlay attacks. This enables it to snatch credentials and one-time passwords used to protect bank accounts.
Next-level capabilities could be added to this malware at any time, as only minor code reconfigurations are necessary for the activation of extensive data siphoning functions.
In conclusion
Although experts state that Xenomorph malware does not represent an overwhelming threat at the moment, it could reach its full potential as a banking malware in the near future. The code contains a series of commands that have not yet seen implementation, but they’re expected to be quite powerful once properly configured.
The general public can steer clear of this malware by avoiding the installation of apps that tout ‘too-good-to-be-true’ types of promises; such as rendering a phone’s operation 10X faster than current speeds. Exploring reviews and seeing what others have to say about an app can also help individuals avoid malicious downloads.
For more information about phone-based malware threats, see CyberTalk.org’s past coverage.
Bonus content: This may or may not provide insights into this new malware… In 1979, the movie Aliens featured “The Alien” who was also known as “Xenomorph.” Alien is protected from all outside forces, and functions as a parasite. As the Alien film series continued, the creature’s design is modified in various ways – If the Xenomorph malware follows the trajectory of the character in the films, taming this beast will be a serious pursuit.
