In February 2022, ThreatFabric came across a new Android banking Trojan, which we dubbed
Xenomorph. The name comes from its clear ties with another infamous banking Trojan, Alien, from which Xenomorph adopts class names and interesting strings.
Based on the intelligence gathered, users of
56 different European banks are among the targets of this new Android malware trojan, distributed on the official
Google Play Store, with more than
50.000 installations.
Just like the monster protagonist of the famous Ridley Scott’s franchise, this malware shares some aspects with its predecessor. However, despite its obvious ties to one of the most wide-spread malware of the last two years, Xenomorph is radically different from Alien in functionalities. This fact, in addition to the presence of not implemented features and the large amount of logging present on the malware, may suggest that this malware might be the in-progress new project of either the actors responsible with the original Alien, or at least of someone familiar with its code base. However, this is only speculation at the moment.
As we have previously discussed, threat actors are increasingly focusing their efforts into sneaking their way onto the Google Play Store (
MITRE T1475).
Google has seemingly taken some action to reduce the amount of malicious applications on the app market, but often these efforts are not enough to stop criminals from reaching the store. As part of our daily threat hunting, ThreatFabric analysts encounter and report malicious applications on the store to Google.
One of the applications ThreatFabric discovered was posing as “Fast Cleaner”, an application aiming at speeding up the device by removing unused clutter and removing battery optimization blocks.
The application itself seemed successful, with more than
50.000 installations reported on Google Play. This is not an uncommon lure, and we have seen malware families like Vultur and Alien being deployed by such application.
