An Android banking malware dubbed Xenomorph, has been found to be targeting 56 different European banks.
This malware took the form of previous found android malware called Alien. The Alien mobile malware was first detected in January 2020 and was a fork of the Cerberus Android malware.
Xenomorph has been found in applications on the Google Play Store. Researchers note that while Google has seemingly taken some action to reduce the number of malicious applications on its store, these efforts are not enough to stop criminals from reaching the store.
Xenomorph is hidden in what appear to be legitimate applications. One such application was Fast Cleaner. The app was pitched as speeding up a device by removing unused clutter and removing battery optimization blocks. Before being removed from Google Play, the app had more than 50,000 installations.
Xenomorph uses an overlay attack to steal credentials. A malicious app opens and activates a window over a legitimate program. This layer fully replicates the target product interface, with the user being none the wiser. Given that Xenomorph targets 56 European banks, a user opening their banking app would be presented with a screen that appeared to be their banking app but was actually a fake overlay of their login screen.
Xenomorph intercepts SMS messages and two-factor authentication programs to intercept and gain access to victims’ bank accounts. Xenomorph appears to be in its early stages of development and many code and capabilities still need to be implemented researchers says .
This shows the bad actors increasingly getting more and more sophisticated and targeting legitimate apps to widen their attack surface.