New Google Play Malware Poses Major Threat to Mobile Banking

You’re probably tired of hearing this by now, but Google Play has yet another sinister malware problem lurking in its downloads section called Xenomorph. Its big cousin, a pervasive online banking malware dubbed Alien has been around for a while, but it looks like cybercriminals are banking on a new and improved recipe.

Discovered by researchers at Threat Fabric, the malware banking trojan has reportedly been downloaded over 50,000 times and infected users across more than 56 European banks. So far, researchers have only identified an app called Fast Cleaner on the Google Play Store with this malware attached.

That app has apparently been removed, but there are a bunch of apps just like it on the App Store, including one with a similar name and logo. There’s also a good chance the Xenomorph malware may be lurking within other apps on the store already.

Xenomorph Malware is Still Growing

Like its namesake, this malware has a life cycle, and right now it’s still very much in the early Chestburster stage. We’ve established that there’s a threat and that it’s dangerous, but we don’t know the full scope of its abilities or what it can grow into. Researchers have only confirmed one app spreading the malware so far, but it’s certain to grow and be reintroduced into new software down the road.

Xenomorph is part of the Gymdrop dropper family of malware, which also delivers the Alien trojan that was discovered by Threat Fabric as well. A Trojan dropper is a malicious piece of software that is either concealed in an app or program or is downloaded from a remote server once that app is installed.

Once users installed the Fast Cleaner app, Xenomorph contacted a remote server and downloaded various payloads which included the trojan malware. Google Play had no way to detect the malware as the cybercriminals behind the app waited until it was distributed before adding the malware to the remote server. Alien may have been one of the other payloads this app downloaded.

According to Threat Fabric, the malware contains many unimplemented commands (for now) as well as a large amount of logging which indicates that it’s still an ongoing project. The researchers also found that this malware was built with a modular approach that could support further expansion of its functionalities. All of that means we’re just seeing the start of what this malware will eventually turn into.

What Does the Xenomorph Malware Do?

Once you start up the Fast Cleaner app, the malware will be downloaded onto your device and activated. The app will then send you insistent requests to grant it access to your phone’s Accessibility Services and give it full control over your device.

The malware creates a fake overlay of any banking apps installed on the device and collects the credentials you enter when you want to bank online. It also uses SMS and notification interception to catch any two-factor authentication (2FA) messages when you log into your accounts. 2FA is the one-time pin an app will send you when you try to log into an account.

It also has the ability to abuse Android’s accessibility services which opens up a much wider control over a device’s functions. In the future, this malware could very well go beyond credential stealing to remotely take over infected devices.

While the Xenomorph malware shares many similarities with the Alien banking trojan, it looks like cybercriminals are trying to improve on that formula with the Xenomorph. Its current capabilities aren’t on par with Alien, which has been around for about 2 years. That said, the researchers at Threat Fabric believe Xenomorph’s strong modular design lends it a much bigger expansion in the future.

Protect Your Mobile From Online Threats

Google Play is a major target for cybercriminals because it’s an open-source platform and because of Android’s popularity across the globe. Unfortunately, that means you might download a malware-ridden app without knowing. Many users tend to trust the Google App store, and think that everything on it must be safe.

While Google is continually improving its services to try and keep up with threat actors, users need to take steps to protect themselves as well. You can avoid giving malware like Xenomporh a purchase on your device. Follow these basic mobile cybersecurity steps to stay ahead of cybercriminals:

Task Description
Update your device’s operating system. Google regularly releases OS updates that include security patches which protect phones against malware and viruses. Most phones update their OS automatically, but you can make sure your phone’s version is in line with the latest version released by Google.
Delete unused apps. Apps create potential entry points for cybercriminals via exploitable code vulnerabilities. These are more likely if the developers don’t regularly update their app or have abandoned it. Apps can also contain your credentials or other information that cybercriminals can steal via malware.
Avoid apps that claim to clean your phone. Apps cannot improve your phone’s functionality or performance. Carefully consider every app’s claims before you download it.
Review app pages carefully. Look at the number of downloads an app has and go through its reviews. If the app has a slew of praises that look fake, don’t download it. You can also Google the app with the words “scam” or “malware” to see if anything pops up.
Decline unnecessary app permission requests. Xenomorph needs you to give it full access to your phone to work, as do many types of mobile malware. Don’t just accept all app permission requests. Go through them carefully, and if an app is asking for too much, don’t accept it. Use your discretion and consider what the app would actually need to work.
Monitor your phone. Keep an eye out for suspicious activity on your phone. Anything like messages you didn’t send, a suddenly sluggish phone, new apps you didn’t install, or suspicious activity on your email and online accounts may indicate your phone has a malware infection.
Protect your mobile connection with CyberGhost VPN. Use CyberGhost VPN to encrypt your mobile connection and keep cybercriminals from intercepting your online browsing and data. Our military-grade encryption provides a protective barrier against outside interference.

Protecting your smartphone against malware and other threats doesn’t come down to doing any single thing. It won’t be because you downloaded one app or followed one very specific tip.

If you want to improve the security of your mobile devices, you need to adopt security-conscious habits like the ones mentioned above.

Leave a comment

Bitte senden Sie diese Informationen auch an alle Banken und Sparkassen in Deutschland.


From the author – “I’m sure most banks in Germany are already aware of this malware, as there’s a good chance some of their clients have fallen victim to it. If you’re concerned, you can contact your bank to see if they’re aware of the threat and ask whether they’re doing anything to let customers know about it.”

Write a comment

Your email address will not be published. Required fields are marked*