Xenomorph Malware Burrows into Google Play Users, No Facehugger Required

Researchers discovered a new, modular banking trojan with ties to Cerberus and Alien that has the capability to become a much larger threat than it is now.

An Android trojan dubbed Xenomorph has nested in Google Play, already racking up more than 50,000 downloads from the official app store, researchers warned. For anyone who downloaded the “Fast Cleaner” app, it’s time to nuke it from orbit.

According to a ThreatFabric analysis, Xenomorph has a target list of 56 different European banks, for which it provides convincing facsimiles of log-in pages whenever a victim attempts to log into a mobile banking app. The goal of course is to steal any credentials that victims enter into the faux log-in overlay.

However, the malware is also a flexible, modular banking trojan, which has code overlaps and other ties to the Alien malware – hence the name. It notably contains the ability to abuse Android’s accessibility services for broad control over a device’s capabilities, which could open the door to dangerous features that go beyond hijacking mobile banking credentials.

Webinar Promo

Click to Register for FREE!

“The Accessibility engine powering this malware, together with the infrastructure and command-and-control (C2) protocol, are carefully designed to be scalable and updatable,” the researchers warned in a Monday posting. “The information stored by the logging capability of this malware is very extensive, and if sent back to the C2 server, could be used to implement keylogging, as well as collecting behavioral data on victims and on installed applications, even if they are not part of the list of targets.”

That advanced functionality is not yet implemented, so the researchers have deemed Xenomorph as still under development. However, they noted that it’s already making a mark on the banking trojan front: “Xenomorph is already sporting effective overlays [for banking apps] and being actively distributed on official app stores.”

It also uses SMS and notification-interception to log and use potential two-factor authentication (2FA) tokens, according to ThreatFabric. And, they added, “It would be unsurprising to see this bot sport semi-automatic transfer system (ATS) capabilities in the very near future.”

ATS is the process of automatically initiating wire transfers from the victims without needing to use credentials, thus bypassing 2FA and all anti-fraud measures.

ThreatFabric observed the malware being loaded by a dropper hiding in a Google Play application called “Fast Cleaner” (since reported to Google). Sporting 50,000 installations, it purported to remove unused clutter and battery optimization blocks for better device processing times.

“This is not an uncommon lure, and we have seen malware families like Vultur and Alien being deployed by such application[s],” the researchers said.

Inside the Shell: Xenomorph’s Core Functionality

In terms of its main overlay attack vector, Xenomorph is powered by Accessibility Services privileges, the researchers found.

“Once the malware is up and running on a device, its background services receive Accessibilty events whenever something new happens on the device,” they explained in a Monday posting. “If the application opened is part of the list of targets, then Xenomorph will trigger an overlay injection and show a WebView Activity posing as the targeted package.”

More specifically, once installed, the malware enumerates and sends back a list of installed packages on the infected device. Based on what targeted applications are present, it goes on to download the corresponding overlays to inject.

“The list of overlay targets returned by Xenomorph includes targets from Spain, Portugal, Italy and Belgium, as well as some general purpose applications like emailing services, and cryptocurrency wallets,” according to ThreatFabric.

After obtaining Accessibility Services privileges, Xenomorph will first register and verify itself with the C2, by sending a request using the legitimate, open-source project Retrofit2 (a type-safe REST client for Android, Java and Kotlin developed by Square).

That first message contains the initial information exfiltrated about the device, according to ThreatFabric. After that, Xenomorph periodically polls for new commands from the C2.

For now, the commands allow the malware to log SMS messages, list the web injects sent by the C2, enable or disable intercept notifications, and enumerate installed apps.

Meanwhile, the malware also performs the aforementioned logging: “All the information gathered is only displayed on the local device logs, but in the future a very minor modification would be enough to add keylogging and Accessibility logging capabilities to the malware,” researchers warned.

Part of the Alien Franchise?

ThreatFabric’s analysis uncovered evidence of code reuse that links Xenomorph to the known Alien malware, which is a descendent of the infamous Cerberus malware.

These include the “use of the same HTML resource page to trick victims into granting the Accessibility Services privileges.” And further, Xenomorph uses state-tracking through the use of the “SharedPreferences” file.

“This file is commonly used to track the state of an application,” researchers noted. “However, the style of variable naming used by Xenomorph is very reminiscent of Alien, despite being potentially even more detailed.”

They added, “potentially the most interesting fact is the actual name of the sharedPreferences file used to store the configuration for Xenomorph: the file is named ring0.xml. This might look like any other generic random string, but it happens to coincide with the name of the supposed actor behind the development of the original Alien malware.”

Even though for now Xenomorph is a fairly typical banking trojan, ThreatFabric noted that it does have untapped potential.

“Modern banking malware is evolving at a very fast rate, and criminals are starting to adopt more refined development practices to support future updates,” researchers concluded. “Xenomorph is at the forefront of this change…ThreatFabric predicts that with some more time to finish development, this malware could reach higher threat levels, comparable to other modern Android banking trojans.”

Join Threatpost on Wed. Feb 23 at 2 PM ET for a LIVE roundtable discussion, “The Secret to Keeping Secrets,” sponsored by Keeper Security, will focus on how to locate and lock down your organization’s most sensitive data. Zane Bond with Keeper Security will join Threatpost’s Becky Bracken to offer concrete steps to protect your organization’s critical information in the cloud, in transit and in storage. REGISTER NOW and please Tweet us your questions ahead of time @Threatpost so they can be

Suggested articles