Thousands of Android users in the United States and Spain have fallen victim to a banking Trojan called Xenomorph, which has been actively targeting users in Europe for over a year.
Cybercriminals who launched the malware have now set their sights on customers of more than two dozen US banks, including major financial institutions like Chase, Amex, Citi Mobile, Bank of America, and Discover Mobile. This new version of Xenomorph also includes features targeting popular crypto wallets such as Bitcoin, Binance, and Coinbase.
According to cybersecurity vendor ThreatFabric, thousands of Android users in the US and Spain have downloaded the malware onto their devices since August. The threat actor is particularly interested in users of Samsung and Xiaomi, who together hold around 50% of the Android market share.
This recent development highlights the growing and increasingly sophisticated nature of mobile threats, especially for Android users.
A study released by Zimperium earlier this year showed that Android is more attractive to threat actors because of the higher number of vulnerabilities present in the Android environment. Android app developers also tend to make more mistakes when developing apps compared to iOS developers.
Currently, adware and other potentially unwanted applications pose the biggest threat to Android users. However, banking Trojans like Xenomorph are becoming a greater concern.
In the first quarter of 2023, banking Trojans accounted for nearly 19% of all mobile threats, up from 18% in the previous quarter. Notable examples include remote access Trojans with capabilities for stealing banking information, such as SpyNote.C, Hook, Malibot, and Triada.
ThreatFabric first reported on Xenomorph in February 2022 when the banking Trojan was discovered masquerading as legitimate apps and utilities on Google's Play mobile app store. One of the apps, called "Fast Cleaner," claimed to optimize battery life but was actually stealing credentials from customers of 56 major European banks. Over 50,000 Android users downloaded the app onto their devices.
At that time, Xenomorph was still under active development and included features for harvesting device information, intercepting SMS messages, and enabling online account takeovers. ThreatFabric believes that the developers of Xenomorph are likely the same, or have some connection to, the creators of another powerful Android remote access Trojan called Alien.
Xenomorph utilizes overlays that spoof the login pages of the targeted banks. When users with compromised devices attempt to log into their accounts, the malware displays a fake version of the bank's login page, capturing usernames, passwords, and other account information.
As cyber threats continue to evolve, it is crucial for Android users to remain vigilant. Installing security software, keeping devices updated, and avoiding downloading apps from unknown sources are some of the best practices to protect against banking Trojans and other malware.