This Android malware hid inside an app downloaded 50,000 times from Google Play Store
A new type of Android banking trojan malware has been downloaded by over 50,000 users in just a few weeks, targeting customers of 56 different European banks.
This malware first appeared this month, according to cybersecurity researchers at ThreatFabric, who dubbed it ‘Xenomorph’ due to links to another trojan called Alien. The malware is intended to steal usernames and passwords in order to gain access to bank accounts and other sensitive personal information.
The malware, like many other types of Android malware, appears to be able to circumvent security measures and infiltrate smartphones via apps in the Google Play Store. One of the apps discovered was a cleaner app that promised to help a device speed up by removing unused clutter: the app has been downloaded over 50,000 times.
The app appeared to provide the functionality advertised, but it also delivered malware, which steals usernames and passwords via fake overlays that activate when the victim attempts to log in to banking apps. Because the overlay replaces the actual login screen, any information entered is sent to the attackers. Banks in Spain, Portugal, Italy, and Belgium are currently under attack. The malware also includes overlays capable of stealing passwords for email accounts and cryptocurrency wallets.
Xenomorph can intercept SMS and app notifications to help steal authentication needed to bypass multi-factor authentication. Researchers have linked Xenomorph to another Android trojan malware, Alien, because of design similarities. Both forms of malware use the same HTML resource page to trick victims into granting access to accessibility services. The researchers note that the malware still appears to be in the early stages of development as many commands present in the code aren’t active yet.
