Android Banking Trojan Targets Europeans
A new Android banking trojan with over 50,000 installations has been observed distributed via the official Google Play Store with the goal of targeting 56 European banks and carrying out harvesting sensitive information from compromised devices.
Dubbed Xenomorph by Dutch security firm ThreatFabric, the in-development malware is said to share overlaps with another banking trojan tracked under the moniker Alien while also being “radically different” from its predecessor in terms of the functionalities offered.
“Despite being a work-in-progress, Xenomorph is already sporting effective overlays and being actively distributed on official app stores. In addition, it features a very detailed and modular engine to abuse accessibility services, which in the future could power very advanced capabilities, like ATS.”
ThreatFabric’s founder and CEO, Han Sahin
Alien, a remote access trojan (RAT) with notification sniffing and authenticator-based 2FA theft features, emerged shortly after the demise of the infamous Cerberus malware in August 2020. Since then, other forks of Cerberus have been spotted in the wild, including ERMAC in September 2021.
Xenomorph, like Alien and ERMAC, is yet another example of an Android banking trojan that’s focused on circumventing Google Play Store’s security protections by masquerading as productivity apps such as “Fast Cleaner” to trick unaware victims into installing the malware.
It’s worth noting that a fitness training dropper app with over 10,000 installations — dubbed GymDrop — was found delivering the Alien banking trojan payload in November by masking it as a “new package of workout exercises.”
Fast Cleaner, which has the package name “vizeeva.fast.cleaner” and continues to be available on the app store, has been most popular in Portugal and Spain, data from mobile app market intelligence firm Sensor Tower reveals, with the app making its first appearance in the Play Store towards the end of January 2022.
Android Banking Trojan Targets Europeans