Alerts

Background

A new Android banking trojan (Xenomorph) with over 50,000 installations has been observed distributed via the official Google Play Store to harvest sensitive information, especially financial information of its users. The malware masquerades itself as a legitimate productivity application such as “Fast Cleaner”, a generic performance-boosting app ostensibly meant to clear junk, increase device speed and optimize battery life to trick unaware victims into installing the malware.

Once up and running on a victim’s device, Xenomorph harvests banking information by performing overlay attacks (replacing a legitimate login page with a fake page), intercepting notifications including SMS to by-pass SMS based two-factor authentication and prevent users from uninstalling it. The malware also asks for Accessibility Services privileges, which allow it to grant itself further permissions. Xenomorph is reported to have targeted about 56 financial institutions across Europe including dozens of banks in Spain, Portugal, Italy, and Belgium.

To avoid detection during the Play Store Application Review, Xenomorph fetches the payload following the installation, ensuring that the app is clean at the time of submission for review.Fast Cleaner has since been taken off the Google Play Store.

Impact

• The malware steals sensitive banking details and takes control of accounts to initiate unauthorised transactions, with the stolen data being sold to prospective buyers.
• Xenomorph intercepts notifications, log text messages, and use injections to conduct overlay attacks, thus being able to steal logins and one-time passwords used in protecting banking accounts.

Systems/ Technologies Affected

• This malware affects all Android devices.

Recommendation

• Android users are advised to stay clear off applications that seem too good to be true. This malware affects all Android devices.
• It is also necessary for Android users to check reviews of other people to help avoid downloading malicious apps.