Xenomorph banking trojan has snuck inside Google Play Store

November 17, 2022
Xenomorph Banking Trojan Google Play Store Android Dropper

A research team spotted the Xenomorph banking trojan inside some applications on the Google Play Store. This incident is yet another case of a malicious app that has successfully infiltrated the trusted source for downloading applications.

Cybercriminals have repeatedly found new methods to bypass the defences present in the platform, which caused significant alarms within the cybersecurity landscape.

According to the investigation, the two malware-embedded apps are Todo: Day manager and Expense Keeper. The former poses as a lifestyle app, and the other is a standard utility tool, but both applications function as droppers.

The first-mentioned application has acquired more than a thousand downloads. Its initial launch extends to a Firebase server to retrieve the malware payload and downloads the Xenomorph samples, kept on GitHub.

Subsequently, the trojan connects to the command-and-control server decoded through a Telegram page content or from a static code method to request additional commands, prolonging the infection.

The second app, which is the Expense Keeper behaves like the other hostile app. However, the researchers noticed that it has a deactivated parameter. Hence, the application cannot recover the Dropper URL for the payload upon execution on the infected device.

 

On the bright side, Google has already deleted these apps that contain the Xenomorph banking trojan.

 

Based on reports, the Xenomorph banking trojan could exploit the Android’s accessibility permissions to execute overlay attacks.

It could prompt users to enable access permission, include themselves as device admin, and prevent users from deactivating the Device Admin feature. Hence, it could establish persistence as it will be exempted from being uninstalled by the user.

It also manifests an overlay that displays fake login screens on top of legitimate banking apps to deceive users into giving their credentials or data. The banking trojan can also intercept phone messages and notifications, allowing it to get OTP and MFA verification requests.

Cybersecurity experts still warn users regarding these compromised apps since, although it was removed by google from its Play Store, there is still a high chance that it exists on numerous third-party services.

About the author

Leave a Reply