An Android trojan has been downloaded over 50,000 times from the official app store, Google Play. Researchers have advised anyone who downloaded the “Fast Cleaner” app, to remove it ASAP.
According to researchers, the trojan, dubbed “Xenomorph”, has a target list of 56 different European banks, for which it provides convincing spoofed login pages whenever a victim attempts to log into a mobile banking app. The goal is to steal any credentials that victims enter into the faux login page.
However, the malware is also a flexible, modular banking trojan, which has code overlaps and other ties to the Alien malware. It notably contains the ability to abuse Android’s accessibility services for broad control over a device’s capabilities, which could open the door to dangerous features that go beyond hijacking mobile banking credentials.
Researchers warned: “The Accessibility engine powering this malware, together with the infrastructure and command-and-control (C2) protocol, are carefully designed to be scalable and updatable. The information stored by the logging capability of this malware is very extensive, and if sent back to the C2 server, could be used to implement keylogging, as well as collecting behavioural data on victims and on installed applications, even if they are not part of the list of targets.”
That advanced functionality is not yet implemented, so the researchers have deemed Xenomorph as still being under development. However, they noted that it’s already making a mark on the banking trojan front: “Xenomorph is already sporting effective overlays [for banking apps] and being actively distributed on official app stores.”
It also uses SMS and notification-interception to log and use potential two-factor authentication (2FA) tokens. And, they added: “It would be unsurprising to see this bot sport semi-automatic transfer system (ATS) capabilities in the very near future.”
ATS is the process of automatically initiating wire transfers from victims without needing to use credentials, bypassing 2FA and all anti-fraud measures. Researchers observed the malware being loaded by a dropper hiding in a Google Play application called “Fast Cleaner”. With over 50,000 installations, it promised to remove unused clutter and battery optimisation blocks for better device processing times.
In terms of its main overlay attack vector, Xenomorph is powered by Accessibility Services privileges, the researchers found: “Once the malware is up and running on a device, its background services receive Accessibility events whenever something new happens on the device.
“If the application opened is part of the list of targets, then Xenomorph will trigger an overlay injection and show a WebView Activity posing as the targeted package.”
More specifically, once installed, the malware sends back a list of installed packages on the infected device. Based on what targeted applications are present, it goes on to download the corresponding overlays to inject. After obtaining Accessibility Services privileges, Xenomorph will first register and verify itself with the C2, by sending a request using the legitimate, open-source project Retrofit2.
That first message contains the initial information exfiltrated about the device. After that, Xenomorph periodically polls for new commands from the C2. For now, the commands allow the malware to log SMS messages, list the web injects sent by the C2, enable or disable intercept notifications, and interfere with installed apps.
Meanwhile, the malware also performs the aforementioned logging: “All the information gathered is only displayed on the local device logs, but in the future a very minor modification would be enough to add keylogging and Accessibility logging capabilities to the malware,” researchers warned.
Even though, for now, Xenomorph is a fairly typical banking trojan, researchers added that it does have untapped potential: “Modern banking malware is evolving at a very fast rate, and criminals are starting to adopt more refined development practices to support future updates.”
Of course, as always, when downloading unrecognised applications from official application stores, Neuways advises users to be wary of engaging with them. This could be because they contain a malware as potent as Xenomorph. All it takes is one errant download and your phone could become a beacon of confidential information for cyber criminals. Worse still, if your phone doubles up as your work device, as this could lead to your organisation becoming compromised, too.