A recent discovery by security experts has revealed the existence of a malware that specifically targets Android users in the US, Canada, Italy, Portugal, Spain, and Belgium.

Known as Xenomorph, the perpetrators behind this highly advanced Android banking trojan have been consistently directing their efforts towards European users for more than a year. However, they have recently expanded their operations to include consumers of over 25 American financial institutions.

The Xenomorph has returned, and this iteration is even more lethal than ever. Now a more serious danger, it has spread to more than 100 financial and cryptocurrency apps, according to analysts.

Phishing Tactics And Malware Distribution

The current Xenomorph campaign began in mid-August, according to analysts at cybersecurity firm ThreatFabric, who have been monitoring the malware’s activity since February 2022.

The malware authors’ latest campaign involves phishing URLs that encourage users to update their Chrome browsers and download the dangerous APK. The malware is still using overlay techniques to collect data, but now it is now going after US banks and a variety of cryptocurrency apps.

ThreatFabric analysts gained access to the malware operator’s payload hosting infrastructure by taking advantage of the operator’s lax security procedures.

The malware’s Private Loader, the Windows information thieves RisePro and LummaC2, and the Android malware versions Medusa and Cabassous were among the other harmful payloads they found there.

A noteworthy characteristic of the latest iteration of Xenomorph pertains to its advanced and adaptable Automatic movement System (ATS) structure, which facilitates the automated movement of cash from a compromised device to one controlled by an attacker.

Xenomorph Goes After Banks

The ATS engine of the Xenomorph malware has several modules that enable threat actors to gain control over compromised devices and carry out a range of malicious activities.

The malware targets Chase, Amex, Ally, Citi Mobile, Citizens Bank, Bank of America, and Discover Mobile consumers. ThreatFabric researchers found new trojan samples that target Bitcoin, Binance, and Coinbase.

The Xenomorph banking virus targeted 56 European banks employing screen overlay phishing in early 2022. Google Play delivered it to over 50,000 users.

Hadoken Security: The Malware Brains

The firm behind it, “Hadoken Security,” improved the virus and released a modular, flexible version in June 2022. Xenomorph was one of the top 10 banking trojans and a Zimperium “major threat” by then.

Depending on the demographic, each Xenomorph sample has about a hundred overlays that target various banks and cryptocurrency apps.

Meanwhile, users should exercise caution when urged to upgrade their mobile browsers, as these requests are often hidden spyware.

Featured image from Bleeping Computer