Security researchers at cybersecurity company ThreatFabric discovered a new campaign leveraging the ‘Xenomorph’ malware on Android.
The campaign targets people in the U.S., Canada, Spain and other regions, and Xenomorph uses overlays that look like various financial institutions to steal peoples’ banking credentials. It also targets cryptocurrency wallets.
Bleeping Computer reported on ThreatFabric’s findings, offering a brief overview of Xenomorph’s history since it appeared in 2022. The malware has gone through a few revisions, and the newest campaign using it tries to get it onto devices by tricking people into downloading a fake Chrome update. A pop-up warns people that they’re using an outdated version of Google Chrome and encourages them to update the browser. However, if people tap the pop-up’s update button, it installs the Xenomorph malware instead.
The main takeaway for Android users should be to avoid installing Chrome updates — or anything for that matter — from a website pop-up. For the vast majority of Android users, updates from Chrome and other apps will come via the Play Store and only the Play Store.
Once installed, ThreatFabric says Xenomorph uses ‘overlays’ to steal information. The malware comes loaded with roughly 100 overlays targeting different sets of banks and crypto apps depending on the targeted region.
Moreover, the recent versions of Xenomorph include new features to enhance it. That includes a ‘mimic’ feature that gives the malware the ability to act as another application. Mimic includes a built-in activity called ‘IDLEActivity,’ which can act as a WebView to show legitimate web content. These capabilities replace the need for the malware to hide icons from the app launcher after installation, behaviour that can be flagged as suspicious by security tools.
Xenomorph also has a ‘ClickOnPoint’ feature that allows the malware’s operators to simulate taps on specific parts of the screen. That allows operators to move past confirmation screens or perform other simple actions without triggering security warnings.
The last new feature researchers found was an ‘antisleep’ tool to prevent a device from…