A new variant of the Xenomorph Android banking trojan has been noticed by ThreatFabric security scientists and categorized as Xenomorph.C.
The variant, developed by the danger actor identified as Hadoken Security Group, represents a sizeable update from the malware earlier noticed by ThreatFabric, in accordance to an advisory posted by the firm before right now.
“This new edition of the malware provides numerous new capabilities to an currently function-prosperous Android Banker, most notably the introduction of a quite substantial runtime engine powered by Accessibility solutions, which is applied by actors to put into practice a comprehensive ATS [Automated Transfer Systems] framework,” reads the technical publish-up.
Many thanks to its new options, Xenomorph.C can now start off specified purposes, demonstrate force notifications, steal cookies and ahead calls, among other features.
“Xenomorph v3 is able of performing the full fraud chain, from an infection, with the assist of Zombinder, to the automated transfer using ATS, passing by PII exfiltration applying keylogging and overlay assaults,” ThreatFabric wrote.
“In addition, the samples identified by ThreatFabric showcased configurations with goal lists manufactured of far more than 400 banking and financial institutions, such as a number of cryptocurrency wallets.”
This figure represents a sixfold increase in targets as opposed to past variants.
According to the cybersecurity firm, the expansion in recognition of Xenomorph.C can also be linked with Hadoken Security Group developing a website to promote it.
“The web site dedicated to the ad of this Android Banker [indicates] apparent intentions of getting into the MaaS [Malware-as-a-Service] landscape and [starting] significant-scale distribution,” reads the advisory.
“This operation is normal of additional innovative malware family members, this sort of as Gustuff and SharkBot, which have brought on 1000’s of Euros well worth of damage toward their qualified establishments,” ThreatFabric discussed.
The workforce also spotted Xenomorph.C currently being dispersed through 3rd-bash hosting products and services, mainly the Discord written content delivery network (CDN).
“ThreatFabric expects Xenomorph to improve in quantity, with the likelihood of currently being [once] yet again dispersed by using droppers on the Google Participate in Store,” warned the firm.
The malware was also outlined in Flashpoint’s 2022 Economic Danger Landscape report as 1 of the most preferred trojans lively in 2022.
Some parts of this article are sourced from:
www.infosecurity-journal.com