A brand new variant of the Xenomorph Android banking trojan has been noticed by ThreatFabric safety researchers and categorized as Xenomorph.C.
The variant, developed by the menace actor often known as Hadoken Safety Group, represents a considerable improve from the malware beforehand noticed by ThreatFabric, based on an advisory revealed by the corporate earlier right now.
“This new model of the malware provides many new capabilities to an already feature-rich Android Banker, most notably the introduction of a really intensive runtime engine powered by Accessibility providers, which is utilized by actors to implement an entire ATS [Automated Transfer Systems] framework,” reads the technical write-up.
Because of its new options, Xenomorph.C can now begin specified functions, present push notifications, steal cookies and ahead calls, amongst different capabilities.
“Xenomorph v3 is able to performing the entire fraud chain, from an infection, with the help of Zombinder, to the automated switch utilizing ATS, passing by PII exfiltration utilizing keylogging and overlay assaults,” ThreatFabric wrote.
“As well as, the samples recognized by ThreatFabric featured configurations with goal lists manufactured from greater than 400 banking and monetary establishments, together with a number of cryptocurrency wallets.”
This determine represents a sixfold enhance in targets in comparison with earlier variants.
Based on the cybersecurity firm, the expansion in recognition of Xenomorph.C may also be related to Hadoken Safety Group establishing an internet site to promote it.
“The web site devoted to the commercial of this Android Banker [indicates] clear intentions of coming into the MaaS [Malware-as-a-Service] panorama and [starting] large-scale distribution,” reads the advisory.
“This performance is typical of extra superior malware households, comparable to Gustuff and SharkBot, which have triggered hundreds of Euros price of injury in the direction of their focused establishments,” ThreatFabric defined.
The workforce additionally noticed Xenomorph.C being distributed by way of third-party internet hosting providers, primarily the Discord content material supply community (CDN).
“ThreatFabric expects Xenomorph to extend in quantity, with the probability of being [once] once more distributed by way of droppers on the Google Play Retailer,” warned the corporate.
The malware was additionally talked about in Flashpoint’s 2022 Monetary Risk Panorama report as one of the common trojans energetic in 2022.
