Banking Malware that steals Personal Data

A new banking malware on Android attacks customers of 56 banks in Europe. Discovered by cybersecurity firm ThreatFabric,  Xenomorph hides behind seemingly innocuous applications and attempts to steal passwords and even one-time codes. It would be inspired by a previous banking malware known as Alien.  Xenomorph is a Trojan distributed in the Google Play Store. It hides behind several bogus apps, including one called Fast Cleaner. The latter, which offers cleaning on the smartphone, has been downloaded by more than 50,000 people.

 

It actually contains a module called Gymdrop which connects to a server to download and install the malware. This is how it bypasses Play Store security. These servers also contain two other malware: Alien, the predecessor of Xenomorph, and ExobotCompact.D. These two malwares are already well known, but Xenomorph is completely new.

 

After installation, the malware requests permissions for accessibility services, which it then hijacks to grant itself the permissions it needs. It transmits the list of all the elements installed on the device in order to download the corresponding packages. When the user opens his banking application, the malware is notified thanks to accessibility services. It then displays a webpage on top of the application designed to look identical. The user then enters his identifiers without realizing that he is not in the right application.

Xenomorph is also able to thwart double authentication by intercepting notifications and SMS to retrieve one-time codes. The malware logs a lot of information, and could be used to record all text input and even monitor other apps on the infected mobile. Xenomorph reuses part of the Alien malware code.

 

The researchers say Xenomorph is still in an early stage of development, and the code contains many commands that have yet to be implemented. The name of these commands suggests that in the future it may know how to update, uninstall, or even disable other applications. It could thus block any antivirus and then disappear without a trace once it has stolen the victim’s password.

 

The malware is currently targeting bank applications in Spain, Portugal, Italy and Belgium, and is also targeting other applications such as messaging and cryptocurrency wallets. Researchers currently assign it a medium threat level. However, once the development of the program is completed, it has the potential to pose a high threat level similar to other modern banking malware on Android

Newer Articles

• Mistakes To Avoid When You Are Looking For The Best Life Insurance Policy
• Travel Around the World in One Hour on Mach 9
• Meta, formerly Facebook,  presented its vision of the Metaverse on VivaTech 

Older Articles

• Protecting your Data with Pseudonymization: What are the benefits?
• New Technologies: From an Electric Car to Low-carbon Future 
• Microlino: Electric Car with Ultra-compact dimensions and Neo-retro style