Hadoken Security Group Upgrades Xenomorph Mobile Malware

Written by

A new variant of the Xenomorph Android banking trojan has been spotted by ThreatFabric security researchers and classified as Xenomorph.C.

The variant, developed by the threat actor known as Hadoken Security Group, represents a substantial upgrade from the malware previously observed by ThreatFabric, according to an advisory published by the company earlier today.

“This new version of the malware adds many new capabilities to an already feature-rich Android Banker, most notably the introduction of a very extensive runtime engine powered by Accessibility services, which is used by actors to implement a complete ATS [Automated Transfer Systems] framework,” reads the technical write-up.

Thanks to its new features, Xenomorph.C can now start specified applications, show push notifications, steal cookies and forward calls, among other functions.

“Xenomorph v3 is capable of performing the whole fraud chain, from infection, with the aid of Zombinder, to the automated transfer using ATS, passing by PII exfiltration using keylogging and overlay attacks,” ThreatFabric wrote.

“In addition, the samples identified by ThreatFabric featured configurations with target lists made of more than 400 banking and financial institutions, including several cryptocurrency wallets.”

This figure represents a sixfold increase in targets compared to previous variants.

According to the cybersecurity company, the growth in popularity of Xenomorph.C can also be associated with Hadoken Security Group establishing a website to advertise it.

“The website dedicated to the advertisement of this Android Banker [indicates] clear intentions of entering the MaaS [Malware-as-a-Service] landscape and [starting] large-scale distribution,” reads the advisory.

“This functionality is typical of more advanced malware families, such as Gustuff and SharkBot, which have caused thousands of Euros worth of damage towards their targeted institutions,” ThreatFabric explained.

The team also spotted Xenomorph.C being distributed via third-party hosting services, primarily the Discord content delivery network (CDN).

“ThreatFabric expects Xenomorph to increase in volume, with the likelihood of being [once] again distributed via droppers on the Google Play Store,” warned the company.

The malware was also mentioned in Flashpoint’s 2022 Financial Threat Landscape report as one of the most popular trojans active in 2022.

What’s hot on Infosecurity Magazine?