Xenomorph has infected at least 50,000 Android devices. The banking trojan steals login data to plunder victims’ bank accounts. This is revealed by security organization ThreatFabric in an analysis of the new malware form.

ThreatFabric follows Xenomorph closely. Today, the organization published an analysis on the new malware form. Attackers disguise Xenomorph with legitimate apps on the Google Play Store. The most successful disguise was ‘Fast Cleaner’, an Android app with 50,000 installations. Although the app has presently been removed, it was previously touted as a tool to speed up smartphones. In reality, the tool downloads Xenomorph onto users’ devices.

Xenomorph activates after a user opens a legitimate app on an infected device. The malware opens an interface with the same appearance as the legitimate app. This interface is counterfeit. Input data, such as passwords and usernames, are sent directly to an attacker.

Security researchers at ThreatFabric proved that 56 European banking apps have been counterfeited by Xenomorph. Once a user enters login credentials into the counterfeit app, an attacker cracks the bank account. Roughly 50,000 are infected. The number of actual victims is unknown.

Google’s role

In 2020, ThreatFabric came across Alien, a trojan with similar functionality to Xenomorph. Because of the similarities, ThreatFabric suspects that the trojans were written by the same author(s).

Google takes measures to keep malicious apps from entering the Play Store. Nevertheless, attackers find workarounds. Xenomorph deploys only after the disguise — for example, ‘Fast Cleaner’ — is installed. Because the disguise’s code does not trigger alarms, Google allows the app be distributed on the Play Store.

Tip: Don’t make cybersecurity the end user’s problem