The Xenomorph malware has been in distribution for several years, attacking banks and stealing money. Now, in a recent development, threat actors have reportedly started distributing a newer version of the malware, which can not only steal money from Android users in various countries but can also target crypto wallets.
Originally discovered in 2022, the Xenomorph malware began as a banking trojan, initially focusing on 56 European banks through screen overlay phishing. However, since then, the malware has been through a series of updates, evolving into a more versatile and modular form.
How does the malware work?
According to reports, this new malware targets Android users in the United States, Canada, Spain, Italy, Portugal, and Belgium, using a new “mimic” function that allows it to impersonate other apps. For instance, in the new campaign, threat actors lure victims to deceptive websites, where they are presented with an alert stating that the Chrome browser requires immediate updates. However, instead of downloading the real Chrome browser, the APK file contains the Xenomorph malware.
Once the malware is active, it uses overlays, fake screens placed on top of apps, to steal user credentials from banking and cryptocurrency applications. Additionally, to make matters worse, the new version of the malware includes a “ClickOnPoint” capability, allowing bad actors to simulate screen taps at precise locations. Moreover, it employs an “Antisleep System” that prevents the device from turning off its screen, thus ensuring uninterrupted access.
List of targeted banks
Given the widespread nature of the campaign, the list of targeted banks and crypto wallets is also extensive and includes names like Chase, Citi, Bank of America, Capital One, PNC, Santander, and TD Bank, as well as cryptocurrency platforms like Coinbase, Binance, and MetaMask.
However, the fact that threat actors are also offering the malware as a service to other bad actors highlights the importance of implementing safety measures. These include not installing apps from third-party sources, checking all the permissions an app requests and installing antivirus software.