U.S. banks and crypto wallets now prime targets for Xenomorph Android malware.

The xenomorph android malware, has been discovered in the wild targeting banks and crypto wallets. ThreatFabric reports; in a recent campaign a newer version of the malware is seen to be distributed to android users who are living in Belgium, Canada, Italy, Portugal, Spain, and the United States of America.

Security Analyst from ThreatFabric have been monitoring and tracking the events of the malware since early 2022 (February). Further disclosure, indicates that the new campaign of the malware was lunched in mid-August (This year), with its major targets being the financial institution and decentralized web (crypto) based in the United States.


       New Variant Seen targeting citizens of Belgium, Canada, Italy, Portugal, Spain, and the United States of America. Image-source: ThreatFabric


Brief History of the Xenomorph Android Malware:

A brief history of the Xenomorph malware, shows that it was first noticed to appear in the wild in early 2022, targeting over 56 European banks, with its primary technique being an on-screen overlay phishing.


                                                                     Analysis and timeline of the Xenomorph Malware in 2023. Image-source: ThreatFabric


Hadoken Security are said to be the author of the malware, and released an upgraded version (with modular features and more flexibility) in June 2022.  It is reported that over 50,0000 android users downloaded the application on their android devices during the time the malware was still under development stage.

The App was seen on the playstore as an App known as “Fast Cleaner” claiming to optimize phone battery, and clear clusters from storages. However, the malware does something sinister such as harvesting device information, and intercepting SMS received on the victim’s device, resulting to online banking account takeover.


How the Xenomorph Exploits Victims:

The Xenomorph malware exploits its victims by using the overlay of spoofed login pages of banks which are on the list of targets by the threat actors.  

When an Android user’s device is infected, every attempt by the victim to access their bank account becomes a compromise. The malware operates by automatically presenting a counterfeit version of the bank’s login page, meticulously designed to capture crucial user data, including usernames, passwords, and other sensitive information. Additionally, the malware intercepts 2FA (Two-Factor Authentication) codes sent to the victim’s SMS service.


                The malware operates by automatically presenting a counterfeit version of the bank’s login page. Image-source: ThreatFabric


This amalgamation of stolen information provides attackers with the means to effortlessly seize control of the victim’s bank account and pilfer their funds. In the year 2022, ThreatFabric reported a concerning development: the malware surfaced with a new moniker, “BugDrop,” and demonstrated the capability to circumvent security measures in Android version 13. This heightened the level of risk and sophistication associated with this malicious software.


New Campaign of Xenomorph:

The new campaign discovered in August 2023, shows that the threat actors have switched the mode of the malware distribution from smuggling it into Google playstore, to now using phishing webpages to distribute the malware.

The discovery reveals a concerning tactic employed by these phishing pages, as it does impersonate legitimate Chrome browser update sites and even mimic the appearance of the official Google Play Store App.


      Malware Phishing link found to be impersonating legitimate chrome browser update.


These counterfeit pages are designed with remarkable precision to appear legitimate, making it highly challenging for users to discern their true nature. As a consequence of this deceptive ruse, unwitting individuals are enticed into downloading the malware’s malicious APK file. This represents a significant threat in and of itself, as it grants the malware access to the victim’s device, opening the door to a host of potential risks and malicious activities.

What makes this situation even more concerning is the malware’s expansion of its target geography to include the United States. Furthermore, its strategic focus on the financial industry and the burgeoning decentralized web of cryptocurrencies suggests a sinister and potentially large-scale operation in the making. This shift in focus raises the specter of substantial financial losses and security breaches, making it imperative for users and organizations to remain vigilant and proactive in safeguarding their digital assets.

ThreatFabric Stated that:

“Xenomorph maintains its status as an extremely dangerous Android banking malware, featuring a very versatile and powerful ATS engine, with multiple modules already created, with the idea of supporting multiple manufacturer’s devices.”

The new version of the Xenomorph malware is said to have the “mimic” feature which can be activated by a command remotely, allowing the malware to be able to switch its capability to that of another malware. The mimic, is said to have a built-in activity named IDLEActivity, which acts as a WebView to display legitimate web contents from the context of a trustworthy process. It also replaces the need to hide icons from the app launcher during post installation, as it is flagged as suspicious by most mobile security tools.


new version of the Xenomorph malware possesses the ‘mimic’ feature, enabling the malware switching its capabilities. Image-source: ThreatFabric 


An additional feature “ClickOnPoint” enables the malware operator to simulate taps at specific coordinates on the screen, bypass confirmation screens or perform other non-complex actions, without the need to employ full ATS module that triggers security warnings. This method makes it a useful mechanism for the malware operator to prolong the engagement and avoid interruptions that requires C2 (Command-and-Control) communications.

ThreatFabric were able to access the malware payload after taking advantage of weak security measures from the malware operator hosting infrastructures. Additional malware variants such as Medusa, and Cabassous, windows information stealer RisePro and LummaC2, and the Private Loader for the malware, were discovered. Read more about the discovery on ThreatFabric.


FixitgearwareSecurity offers valuable guidance to users, emphasizing the utmost importance of exercising caution when updating their applications. Even when downloading apps from the official Play Store, users are strongly urged to take several precautionary measures. Firstly, they should carefully peruse user reviews and ratings to gain insights into the app’s reliability and security. Furthermore, it is mandated that users conduct thorough online research to gather information about an application before proceeding with the installation.

The distribution of the Xenomorph malware is indicative of a concerning trend. It appears to be part of a larger ecosystem where illicit collaborations occur among malicious actors, often referred to as black-hats. This Android trojan is not merely a standalone threat; instead, it is being actively marketed as a Malware-as-a-Service (MaaS). This evolution in the malware landscape underscores the growing sophistication and organizational structure of cybercriminal networks, making it imperative for individuals and organizations to remain vigilant and proactive in their cybersecurity practices.




Put your comments below in the comment section on your thoughts about this.

Find this article and information helpful? Show some love and support  “Click-Here”
5 1 vote
Article Rating
Notify of
Inline Feedbacks
View all comments