The Android ecosystem being open source is a double-edged sword for both developers and users. While it does not restrict developers’ visions in bringing out their creative work in terms of developing applications that add value to people’s lives, you also get hackers whose only aim is to spam users or swindle them out of their money through various schemes.
Google tries its best to sniff out these malware-ridden apps from the Play Store, but there are a few of them that manage to slip through the cracks and are only discovered after they have caused some damage.
The latest of this malware, dubbed Xenomorph has been brought to light by ThreatFabric who also gave it its name as it has ties to another trojan called Alien.
ThreatFabric reports that the trojan has already infected users of 56 different banks in Europe, as well as having more than 50,000 installations on the Google Play Store. There is the possibility of the number of banks that have been affected being higher, as the ThreatFabric team focused on European banks.
To trick unsuspecting users into downloading the trojan, Xenomorph posed as a “Fast Cleaner” application. These kinds of applications aim to improve the speed of devices by removing unused clutter as well as removing battery optimization blocks. But rather than cleaning your phone, the app acted as a gateway to feed a user’s data to the malware.
In their investigations, Threat Fabric found out that the Xenomorph banking trojan is from the Gymdrop dropper family, which is the same dropper family that they discovered delivering a trojan dubbed Alien back in November 2021.
A dropper is basically a small helper program that facilitates the delivery and installation of malware. They are normally used by malicious people to evade the signatures that antivirus programs use to block or quarantine malicious code.
Xenomorph using the Fast Cleaner app can then use the information it has gathered from your device to gain access to your login credentials for online banking apps. Once it has gathered information that you have a particular banking app on your phone, it will generate an overlay that is very similar to that of the banking app.
If you are not keen, you might think that you are working with the original app, while you are instead providing login credentials and other personal information to the trojan. The trojan will then use the information it has swindled from you to login into the real banking app and wipe your account clean.
ThreatFabric concludes their report by saying the Xenomorph trojan is still in its infancy stage as there are a lot of commands that have been found in the code, but they have not yet been implemented. Should these commands see the light of day, this particular trojan has the potential to be more devastating in terms of the number of platforms it can mimic, and the different ways it can use to scam people.
As always, to keep yourself safe online, only download apps that you really need, read the reviews and only download apps from trusted app stores.
