This super-dangerous Android malware has returned to target US shoppers and bankers

(Image credit: Future)

The infamous Xenomorph Android malware is back with new tools, and ready to steal more than just money from unsuspecting victims, experts have warned.

Cybersecurity researchers ThreatFabric, which has been monitoring the malware since early 2022, there is a new campaign active at the moment, targeting victims in the U.S., Canada, Spain, Italy, Portugal, and Belgium.

The infection chain is similar to what we’ve seen from Xenomorph in the past - the attackers set up phishing pages, “warning” victims that their Chrome browser needs to be updated and then delivering the malicious APK to the endpoint. 

New distribution mechanism

Those that take the bait and install the APK will get an advanced version of Xenomorph, capable of stealing money from numerous banks, as well as cryptocurrencies from different wallets.

The malware does so by overlaying legitimate apps, and this time around, Xenomorph comes with approximately a hundred different overlays. The app chooses the right overlay, depending on the target demographic.

"This latest campaign also added plenty of financial institutions from the United States, together with multiple crypto-wallet applications, totaling more than 100 different targets per sample, each one using a specifically crafted overlay to steal precious PII from the victim's infected device," the researchers said in their technical writeup.

Xenomorph has endured countless changes throughout the years. The latest version comes with a couple of new features, including a way to mimic legitimate apps, simulating a tap on the screen, and making sure the smartphone doesn’t switch its screen off by keeping active notifications on at times. 

The malware was first discovered in early 2022 when it was observed targeting users of 56 banks in Europe. Back then, it was being distributed via Google Play, and was downloaded more than 50,000 times. Since then, it was removed from Google’s repository and deployed via a dropper called “BugDrop”.

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.