Xenomorph Android Malware Steals Data From 400 Banks

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | Mar 10, 2023 12:34 pm PST

A new automatic transfer system (ATS) framework and the capacity to steal login information for 400 banks are two of the main capabilities added to the Xenomorph Android virus in this new iteration. ThreatFabric found the initial iteration in February 2022. The banking malware has amassed over 50,000 downloads on the Google Play store.

Using injections for overlay attacks on 56 European banks, the first iteration also took advantage of Accessibility Services rights to execute notification interception and steal one-time codes. The malware’s creators, “Hadoken Security,” continued to develop it throughout 2022, but later versions were never widely dispersed.

The Xenomorph v2 was instead very briefly tested in the wild before it was released in June 2022. The entire code rewrite that gave the second version additional modularity and flexibility helped it stand out.

Xenomorph v3 is a far more capable and developed version of the Xenomorph than its predecessors. It can automatically steal data, including login credentials and account balances, conduct financial transactions, and complete payment transfers.

One of the most sophisticated and deadly Android Malware trojans now in use, according to ThreatFabric, Xenomorph can now fully automate the entire fraud chain, from infection to cash exfiltration.

Establishing a website marketing the latest version of the virus lends credence to ThreatFabric’s assertion that it’s likely Hadoken intends to sell Xenomorph to operators via a MaaS (malware as a service) platform.

The Google Play store’s “Zombinder” platform is currently used to distribute Xenomorph v3, which initially seems to be a currency converter before converting to a Play Protect symbol once the malicious payload has been installed.

Additional Xenomorph Targets

The 400 financial institutions that are the focus of the most current Xenomorph attack are located in the US, Spain, Turkey, Poland, Australia, Canada, Italy, Portugal, France, Germany, the United Arab Emirates, and India.

Chase, Citibank, American Express, ING, HSBC, Deutsche Bank, Wells Fargo, Amex, Citi, BNP, UniCredit, National Bank of Canada, BBVA, Santander, and Caixa are just a few examples of the targeted companies.

ThreatFabric has included a list of all targeted banks in the appendix of its report, but it would be too long to present here. In addition, 13 cryptocurrency wallets, including Binance, BitPay, KuCoin, Gemini, and Coinbase, are targeted by malware.

The most noticeable addition to the latest Xenomorph version is the ATS framework, which gives hackers the ability to automatically extract credentials, monitor account balances, make transactions, and steal money from target apps without requiring them to perform remote activities.

Instead, the operator merely sends JSON scripts, which the Xenomorph interprets as a list of activities and then carries out on the infected device on its own.

According to experts at ThreatFabrics, the [ATS execution] engine utilized by Xenomorph differs from its rivals due to the range of programmable potential actions that can be included in ATS scripts and a system that permits conditional execution and action prioritization.

One of the malware’s ATS framework’s most outstanding features is its ability to record third-party authentication programs’ content, circumventing MFA (multi-factor authentication) safeguards that would otherwise prevent automated transactions.

One-time codes can be obtained from Google Authenticator by extracting the relevant codes (ThreatFabric). It concerns that Xenomorph may access authenticator applications on the same device as banks, who are gradually moving away from SMS MFA and advising consumers to use authenticator apps instead.

In addition to the aforementioned, the new Xenomorph has a cookie stealer capable of stealing cookies from the Android CookieManager, where the user’s session cookies are kept.

In order to fool the victim into providing their login information, the thief launches a browser window with the URL of a reliable service and the JavaScript interface turned on.

The threat actors steal the cookies, allowing them to hijack the victim’s web sessions and access their accounts. A significant new malware that entered the world of cybercrime a year ago was Xenomorph, an Android threat.

It is now a far bigger threat to Android users all over the world after the release of its third major version. Users who download apps via Google Play should exercise caution, read reviews, and perform background checks on the publisher because of the app’s current distribution method, the Zombinder.

It is generally advised to install apps only from well-known and reliable providers and to restrict the number of active apps on your phone to a minimum.


Xenomorph, a new strain of the Android banking malware, has been discovered in the wild, according to the most recent data from ThreatFabric. The revised version, which is the threat actor behind the operation called “Xenomorph 3rd generation,” has new features that enable it to carry out financial crime invisibly. Threat actors leverage the newly released, highly expansive runtime engine powered by Accessibility services to construct a comprehensive ATS framework.

This is the most notable addition to an already feature-rich Android banker in this new version of the malware. Xenomorph initially came to light in February 2022 when it was discovered to use dropper apps available on the Google Play Market to target 56 European banks. On the other hand, the most recent version of the banker is intended to target more than 400 banking and financial organizations, including various cryptocurrency wallets. It has a dedicated website touting its benefits.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x