Xenomorph Android Bank Malware Supports 400 Banks.
This malware for Android smartphones was first discovered back in Feb, 2022 by ThreatFabric, actively targeting 56 European banks and had more than 50,000 users that downloaded and installed it.
The malware is developed by a group named "Hadoken Security Group" and version 2, that was released in June, 2022 was not used so much, although the entire code was revised by its authors.
In March, 2023 ThreatFabric warned of the latest version 3, that is far more capable than its predecessors and that cyber criminals are beginning to target mobile banking users, now with a support for 400+ banks.
Xenomorph 3 is able to automatically steal your data, including your credentials, account balances, performing banking transactions and finalize any fund transfers, without the cyber criminals personal involvement as it has a complete ATS framework.
This is one of the most dangerous Banking RATS.
Hadoken Security Group develops the following Malware:
- Xenomorph Banker RAT ( Main product )
- MagSPY Spyware RAT
- GymDropper Family ( Via Google Playstore )
The samples identified by ThreatFabric featured configurations with Target lists made of more than 400 banking and financial institutions, including several cryptocurrency wallets, with an increase of more than 6 times with comparison to its previous variants, including financial institutions from all continents.
Xenomorph v3 is being distributed via the ‘Zombinder’ platform on the Google Play store, posing as a currency converter and switching to using a Play Protect icon after installing the malicious payload.
The threat actor "Hadoken Security Group" is looking to enter the MaaS landscape, ( Malware As A Service ), if they haven't already. This is the same service as other developers offers via "Ransomware", only the software works different.
If you are infected by this Malware, all money in your bank account is gone and it totally depends on your bank if they will refund you or not!
What can't be hacked or traced?
The answer is: hard earned cash or gold.
Who can access your bank account besides you?
The answer is: Cyber criminals if they get access to your phone or credentials and of course your governments agency's always has direct access.
How does Hadoken Security Group market their V3 software?
- Runtime Accessability Engine
Xeno does not use manually written accessability service code. We use a runtime engine,RUM, where all the action scenarios are described and stored in an easy to read JSON resource. This allows us to easily update/debug our scripts, and we can remotely retrieve specific action sequences for ATS and any others usecases. In addition, our accessability service is 5 times faster than most of our peers. Our accessability workflow is now the most flexible and up-to-date.
This banking trojan is in the class of Gustuff and SharkBot and besides RUM it has MFA bypass and cookie stealing capabilities.
Xenomorph also makes use of Discord Content Delivery Network (CDN), which is a legitimate service, reliable, used by millions and free to use.
It does not just collect your data, it uses an overlay attack, which means someone good at graphics has made an exact copy of the original banks app layout and then the malware places it on top, making you think you are logging into your bank via their app, but in reality you are actually letting the Malware get access to your account and steal whatever is in there.
For Brazilians, the known threats are:
- Banco Bradesco
- Banco Itaú
However you should expect more banks to be added to this specific Malware.
Already back in August 2022, ThreatFabric reported that Xenomorph was being distributed via a new dropper named "BugDrop," which bypassed security features in Android 13.
Their latest campaign uses phishing pages non-techies, to update their Chrome browser, tricking them into downloading a malicious APK and install it.
They use AES-256 encrypted overlays and have added additional features.
Their latest campaign is targeted against U.S institutions.
DO NOT USE a smartphone for banking or cryptocurrency transfers, no matter how much easier it makes your life! Then again, most of you who read this, will probably not adhere to this advice so, install Malwarebytes and choose either Bitdefender, ESET or Kaspersky, then pray to your god if you have one, that you will not get hacked.
Fact is downloading from a third-party is not a great idea, but you could as easily be infected while using Google Playstore as well, so I recommend you look up the app via Google, Bing, DuckDuckGo etc, before installing it. Do some research....