This super-dangerous Android malware has returned to target US shoppers and bankers

Hide your banking apps, hide your crypto wallets

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The infamous Xenomorph Androidmalwareis back with new tools, and ready to steal more than just money from unsuspecting victims, experts have warned.

Cybersecurity researchers ThreatFabric, which has been monitoring the malware since early 2022, there is a new campaign active at the moment, targeting victims in the U.S., Canada, Spain, Italy, Portugal, and Belgium.

The infection chain is similar to what we’ve seen from Xenomorph in the past - the attackers set up phishing pages, “warning” victims that their Chrome browser needs to be updated and then delivering the malicious APK to the endpoint.

New distribution mechanism

Those that take the bait and install the APK will get an advanced version of Xenomorph, capable of stealing money from numerous banks, as well as cryptocurrencies from different wallets.

The malware does so by overlaying legitimate apps, and this time around, Xenomorph comes with approximately a hundred different overlays. The app chooses the right overlay, depending on the target demographic.

“This latest campaign also added plenty of financial institutions from the United States, together with multiple crypto-wallet applications, totaling more than 100 different targets per sample, each one using a specifically crafted overlay to steal precious PII from the victim’s infected device,” the researchers said in their technical writeup.

Xenomorph has endured countless changes throughout the years. The latest version comes with a couple of new features, including a way to mimic legitimate apps, simulating a tap on the screen, and making sure the smartphone doesn’t switch its screen off by keeping active notifications on at times.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The malware was first discovered in early 2022 when it was observed targeting users of 56 banks in Europe. Back then, it was being distributed viaGoogle Play, and was downloaded more than 50,000 times. Since then, it was removed fromGoogle’s repository and deployed via a dropper called “BugDrop”.

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)