Experts discovered Xenomorph malware in the Google Play Store

ThreatFabric experts 發現 a new Xenomorph banking Trojan on the Google Play Store (the official Android app store) that attacks users from Spain, Portugal, Italy and Belgium.

The researchers describe the malware as a classic banker that infects Android devices, requests the rights to use the Accessibility service, and then uses them to display fake login screens, overlaying them on top of real banking applications.

Currently, Xenomorph can display such overlays for 56 banks in Spain, Portugal, Italy and Belgium, as well as 12 cryptocurrency wallets and 7 email apps.

Xenomorph on the Google Play Store

另外, the malware collects other data about the device and transfers everything received to the cybercriminalscontrol servers. The collected data is later used to access bank accounts and steal funds. If accounts are protected by two-factor authentication, Xenomorph is able to intercept SMS notifications and extract the necessary codes from them.

然而, the most annoying thing in this situation is that Xenomorph is distributed through malicious applications in the Google Play Store and is delivered as a payload during the second stage of infection.

The surfacing of Xenomorph shows, once again, that threat actors are focusing their attention on landing applications on official markets. This is also a signal that the underground market for droppers and distribution actors has increased its activity.ThreatFabric specialists explain.

Xenomorph on the Google Play Store

So far, experts have found only one application distributing XenomorphFast Cleaner, which was installed on more than 50,000 devices before being removed from the Google Play Store. The application contained the Gymdrop dropper, which successfully passed all Google checks, and after downloading to the victim’s device, it downloaded and installed more powerful malwareXenomorph.

Although analysts write that Xenomorph is still at the development stage, but it already poses a serious threat, from which and new attacks can definitely be expected in the future. 此外, there is an example of even more sly thingfake VulkanRT library for Windows, that in fact contain rootkit.

It is worth noting that the name Xenomorph arose for a reason: experts noticed many signs in the code that linked the malware to the old Alien banking trojan. 所以, they decided to use a similar name, also inspired by the Alien movie series.

你可能都有興趣了解這一點 FritzFrog botnet is active again and that Android malware Roaming Mantis attacks European users.

黑尔加·史密斯

我一直對電腦科學感興趣, 尤其是數據安全和主題, 而家被稱為 "數據科學", 由我十幾歲開始. 在進入病毒清除團隊擔任主編之前, 我曾喺多傢公司擔任網絡安全專家, 包括亞馬遜嘅承包商之一. 另一種體驗: 我在雅頓大學同雷丁大學任教.

留言

本網站使用Akismet嚟減垃圾郵件. 瞭解如何處理評論數據.

“返回頂部”按鈕