[MART] - Daily Diary #458 - Xenomorph, A New Android Banking Trojan

CTAS-MAT ctas-mat at appgate.com
Tue Feb 22 20:11:22 UTC 2022 

Hello,

I hope everyone is doing well!

Below is the entry for today.

02/22/2022 - Diary entry #458:

This month, a new Android Banking Trojan named Xenomorph was disclosed. Xenomorph was being distributed by a malware dropper disguised as a legitimate app on Google Play Store which had more than 50.000 installations. This same dropper, identified as Gymdrop, is also used since last year to deploy other payloads from other malware families, such as Alien (covered in our Daily Diary #121). Xenomorph and Alien share some similarities such as class names and strings, suggesting that they are probably developed by the same threat actor.

After being installed, Xenomorph abuses Accessibility Services to log the device activity and is able to collect the victim's device data. Then, it can intercept SMS messages, notifications, and trigger overlay screens once it detects that a targeted application was launched. Xenomorph targets' include cryptocurrency apps and 56 different European banks from Spain, Italy, Belgium, Portugal, and others.

To communicate with its C2, Xenomorph uses an open-source project named Retrofit2 which is an HTTP client for Android that manages the process of receiving, sending, and creating HTTP requests and responses. All messages are encrypted using AES and the malware is able to receive several commands to get the victim's data or to enable/disable its functionalities. However, several commands were not implemented yet, suggesting that Xenomorph is under development.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
C: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220222/8941f10b/attachment.htm>

More information about the MART mailing list