Image: iStockphoto/solarseven

In September 2020, ThreatFabric exposed an Android-based mobile malware dubbed “Alien” that had striking capabilities, such as providing remote access to attackers, controlling SMS messages, stealing notifications, installing or removing apps, and collecting data about the phone it has infected.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

That malware has been updated since, and now provides banking trojan capabilities to the cybercriminals controlling it as reported by ThreatFabric. The new malware is dubbed Xenomorph.

From Alien to Xenomorph

Several items have led the ThreatFabric researchers to believe that the Xenomorph malware is an evolution from Alien.

The first clue is that the same HTML page is used to trick victims into granting Accessibility Services privileges, yet it has been used by many other families.

More intriguing, researchers mention that “the style of variable naming used by Xenomorph is very reminiscent of Alien, despite being potentially even more detailed,” and that “the actual name of the shared Preferences file used to store the configuration for Xenomorph: the file is named ring0.xml”.

As a matter of fact, ring0 is the nickname of the developer of the original Alien malware (Figure A).

Figure A

Image: ThreatFabric. A post from nickname ring0 on a cybercrime forum and the reference in the code.

Additionally, several particular strings and class names are visible in both the Alien and the Xenomorph code (Figure B).

Figure B

Image: ThreatFabric. Identical logging strings in the code of Alien and Xenomorph.

The Alien malware has more overall capabilities than Xenomorph, which is far more targeted at stealing banking information.

One could think that the developer of Alien decided to create a more specific malware that would focus on financial theft only.

Xenomorph infections

While Google deploys efforts to tackle malware on its Play Store, cybercriminals still find ways to bypass it and have their malware distributed that way.

One application from the Play Store, dubbed “Fast Cleaner” whose described purpose would be to speed up the device, has dropper capabilities: It downloads, drops and executes malicious content (Figure C).

Figure C

Image: ThreatFabric. The Fast Cleaner application which downloads and installs Xenomorph in the background.

According to the researchers, the Fast Cleaner app has downloaded and installed several different malwares in the past, ExobotCompact.D and Alien.A malware families. But then, it started also downloading and installing Xenomorph.

Xenomorph capabilities

Xenomorph is able to deploy overlay attacks, which consists of placing a window on top of a legitimate application, to ask the user for credentials.

The malware also has the ability to intercept notifications, handle SMS and therefore bypass SMS two-factor authentication.

As a common capability within malware, Xenomorph is able to update itself or its command-and-control server reference.

The banking trojan is also developed with a very modular model: It is easy to add new functions to it. As a matter of fact, more functions are already implemented in the code, but not yet used: Extensive logging capabilities might be used in the future and allow the malware to collect a lot more information on the usage of the device and its user.

The overlay attack

As told, Xenomorph has the ability to deploy overlay attacks.

In order to achieve the overlay attack, Xenomorph’s code contains a list of banking or financial applications that will trigger the overlay screen from the malware. That screen will ask the user for its data. A non-cautious user might then provide the attackers with his or her credentials (Figure D) or credit card information.

Figure D

Image: ThreatFabric. Overlay attack screen from Xenomorph asking the user for his or her credit card information.

Xenomorphs targets

The list of overlay targets returned by the banking trojan includes targets from Spain, Italy, Belgium and Portugal, but also cryptocurrency wallets and e-mail services (Figure E).

Figure E

Image: ThreatFabric. Targeted applications.

A full list of the targeted applications has been provided by the researchers in the report.

How to protect yourself from Xenomorph

To protect from Xenomorph as well as other mobile malware, several actions can be taken:

  • Avoid unknown stores. Unknown stores typically have no malware detection processes, unlike the Google Play Store. Don’t install software on your Android device that comes from untrusted sources.
  • It is not the case for Xenomorph but might be useful to protect against other mobile malware: reboot often. Some high-stealth malware does not have persistent mechanisms, in order to stay undetected, so rebooting often might clean your device of that threat.
  • Carefully check requested permissions when installing an app. Applications should only request permissions for necessary APIs. Before installing an application from the Google Play Store, scroll down on the app description and click on App Permissions to check what it requests. Users should be extra cautious when an application asks for permission to handle SMS. As an example, a cleaning app should definitely not ask for this privilege, which can be used for banking Trojans like Xenomorph to bypass 2FA that uses SMS.
  • Note that immediate requests for update after installation are suspicious. An application that is downloaded from the Play Store is supposed to be the latest version. If the app asks for update permission at the first run, immediately after its installation, it is suspicious.
  • Check the context of the application. Is the application the first one from a developer? Has it very few reviews, maybe only five-star reviews?
  • Use security applications on your Android device. Comprehensive security applications should be installed on your device to protect it.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays