Xenomorph Android malware armed with more refined features

March 17, 2023
Xenomorph Android Malware Financial Trojan Mobile Data Stealer Banking Malware

Researchers have spotted the newest version of the Xenomorph Android malware equipped with more advanced cyberattack capabilities. According to reports, Xenomorph’s third version has an automated transfer system (ATS) framework that helps it hack and steal data from targets more effectively.

First identified last year in February, the malware’s first version was hidden within applications available in the Google Play Store that had successfully accumulated about 50,000 installations from unaware users.

Then, in June 2022, the second version of the malware was released, enhanced to be more modular in attack campaigns.


The Xenomorph Android malware v3 exhibits more adept capabilities.


Based on observations, the Android malware’s newest version can steal data from targets in a more automated approach, allowing it to exfiltrate users’ credentials, perform illicit banking transactions, view account balances, and make unauthorised fund transfers.

Xenomorph’s new ATS framework enables its operators to carry out malicious activities without needing any remote efforts. ATS can also log third-party authentication apps’ contents, evading multi-factor authentication commonly employed by banking applications.

It is also worth noting that this new malware version has a cookie stealer feature, which collects users’ cookies and web sessions to take control of a user’s banking account.

With these more innovative and enhanced features, researchers said that the Xenomorph Android malware can now complete an entirely automated fraud chain, making it one of the most dangerous trojans circulating in the cybercrime landscape.

Hadoken Security, Xenomorph’s developer, is also believed to have been plotting to advertise the malware as a MaaS (malware-as-a-service) platform to other threat actors who could utilise it for sophisticated campaigns.

Furthermore, researchers discovered that the Xenomorph v3 has been launching attacks on banking and financial institutions globally, including the US, UAE, India, Spain, Australia, Turkey, Poland, Canada, Italy, Portugal, France, and Germany.

Some banks that the Xenomorph Android malware has victimised are Amex, Citi, Citibank, American Express, Chase, ING, HSBC, National Bank of Canada, Caixa, BBVA, Santander, BNP, UniCredit, Deutsche Bank, and Wells Fargo.

Some cryptocurrency giants are also targeted, including Binance, Gemini, and Coinbase.

Since the new Xenomorph Android malware version poses heightened risks against banks employing MFA on their apps, security experts recommend that it is time to prefer using authenticator apps instead, which could be more effective in helping secure infrastructures against hackers.

About the author

Leave a Reply