More than 30 US Banks Targeted in New Xenomorph Malware Campaign

Written by

Xenomorph malware has reemerged in a new distribution campaign, expanding its scope to target over 30 US banks along with various financial institutions worldwide. 

Cybersecurity analysts from ThreatFabric recently uncovered this resurgence, which relies on deceptive phishing webpages posing as a Chrome update to trick victims into downloading malicious APKs.

Xenomorph first came to the attention of experts in February 2022. This malware is known for using overlays to capture personally identifiable information (PII) such as usernames and passwords. Notably, it features a sophisticated automated transfer system (ATS) engine, enabling a wide range of actions and modules, enhancing its adaptability.

The latest campaign has seen a geographical expansion, with thousands of Xenomorph downloads recorded in Spain and the United States, reflecting a broader trend among malware families to target new markets across the Atlantic.

In technical terms, Xenomorph has added new capabilities to its arsenal, including an anti-sleep feature, a “mimic” mode to avoid detection and the ability to simulate touch actions. The malware’s targets include Spain, Portugal, Italy, Canada, Belgium, numerous US financial institutions and cryptocurrency wallets.

Read more on Xenomorph: Hadoken Security Group Upgrades Xenomorph Mobile Malware

Another noteworthy development is the observation of Xenomorph being distributed alongside powerful desktop stealers, raising questions about potential connections between threat actors behind these malware variants, or the possibility that Xenomorph is now being offered as a Malware-as-a-Service (MaaS) for use in conjunction with other malicious software families.

According to an advisory published by ThreatFabric on Monday, this resurgence underscores the persistent efforts of cyber-criminals to maximize their profits.

“Xenomorph, after months of hiatus, is back, and this time with distribution campaigns targeting some regions that have been historically of interest for this family,” reads the technical write-up.

“Xenomorph maintains its status as an extremely dangerous Android Banking malware, featuring a very versatile and powerful ATS engine, with multiple modules already created, with the idea of supporting multiple manufacturer’s devices.”

The ThreatFabric advisory, includes a detailed appendix with crucial information for identifying infections related to the Xenomorph malware.

Editorial image credit: HI_Pictures /

What’s hot on Infosecurity Magazine?