Xenomorph Android Banking Malware Attacks 30+ US Banks with New Stealing Capabilities
Xenomorph has been realized with a new malware campaign concentrated on loads of United States and Spain institutions. This new campaign reveals thousands of downloads of Xenomorph malware by victims.
Xenomorph is an Android malware that changed into realized in February 2022 by Probability Fabric. According to earlier malware campaigns, this Android malware changed into allotted using phishing webpages, tricking victims into putting in malicious APKs.
On the different hand, a new checklist of victims belonging to loads of institutions in the US, Portugal, and 2 crypto wallets had been identified, showing consistency in the banking malware family.
Xenomorph Android Malware
Xenomorph malware is succesful of performing a easy SMS manipulation and might maybe shuffle up to paunchy instrument defend watch over, which is ensuing from the employ of a with out a doubt worthy Automatic Switch Scheme (ATS) framework that A long way flung entry capabilities had got. The malware has been constantly being added with new facets by its builders for additional functionalities.
Deploy Stepped forward AI-Powered E-mail Security Reply
Imposing AI-Powered E-mail security choices “Trustifi” can safe your industry from today time’s most bad email threats, akin to E-mail Monitoring, Blocking, Making improvements to, Phishing, Account Rob Over, Enterprise E-mail Compromise, Malware & Ransomware
Xenomorph uses “overlay” as its most indispensable approach for acquiring For my fragment Identifiable Knowledge (PII), at the side of usernames, passwords, credit score card numbers, and heaps more and heaps more. The modules that are on hand in Xenomorph, at the side of the brand new functionalities, are listed below
| MODULE NAME | DESCRIPTION |
| notificationAccess | Grant notification entry |
| grantPermissions | Robotically grants itself all permissions required |
| dozeModeDisableTypeA | Disable Doze mode (Xiaomi MIUI) – model 1 |
| dozeModeDisableTypeB | Disable Doze mode (Xiaomi MIUI) – model 2 |
| dozeModeDisableTypeC | Disable Doze mode (Xiaomi MIUI) – model 3 |
| dozeModeDisableTypeD | Disable Doze mode (Xiaomi MIUI) – model 4 |
| disablePlayProtect | Disable Play Give protection to |
| xiaomiAdminAccess | Receive Admin Receive entry to Xiaomi |
| restrictUninstall_SamsungApi29 | Discontinue uninstall draw in Samsung using API 29 (Android 10) |
| dismissSettingsAlerts_Generic | Brush aside Settings Indicators |
| restrictReset_Generic | Discontinue instrument reset |
| restrictReset_ByContentVid_SamsungApi30 | Discontinue instrument reset in Samsung using API 30 (Android 11) |
| restrictUninstall_ByClassName | Discontinue uninstall draw per Class title |
| restrictUninstall_Generic | Discontinue uninstall draw |
| restrictAccessibilityDisable_Generic | Discontinue disabling of Accessibility Services and products privileges |
| restrictAdminRetrieve_XiaomiApi30 | Restrict retrieving Admin in Xiaomi using API 30 (Android 11) |
| restrictSettingsClicks_Generic | Restrict clicks in settings |
| defaultSmsApp-Alert | Interface with Default SMS settings Alert |
| defaultSmsApp-Role-ChangePrevention | Prevent removal of Default SMS Role |
| defaultSmsApp-Role | Receive Default SMS role |
| defaultSmsApp-Settings | Put aside of dwelling as Default SMS Handler |
| grantSystemWritePermissions | Grants device write permissions |
| getGoogle2FA | Gets Google Authenticator 2FA codes |
| grantWriteStoragePermissions | Grants write storage permissions (new functionality) |
Further investigations on this new malware printed that threat actors rep inserted loads of modules that are supported by Samsung and Xiaomi devices, as these two make a contribution to 50% of the general Android market allotment.
Fresh Capabilities
A couple of additional commands had been added from the earlier variations of Xenomorph. The brand new commands were start_mimic (Beginning Mimic Purpose), stop_mimic (Discontinue Mimic Purpose), show_push (Enable antisleep push notification), and click on on level (simulate touch on particular coordinates). This mimic characteristic permits the malware to act as some other utility and rob away a malware-particular habits that changed into no longer on hand in the earlier model.
Furthermore, this malware changed into also realized to be merged with RisePro stealer with Within most Loader traces, that are some in model Desktop-stealer malware. Additionally, the brand new edition of Xenomorph also uses LummaC2, which changed into one other nicely-identified stealer.
Moreover, the verbal change with the C2 has been updated, replacing HTTP with uncooked TCP sockets over port 50500 for receiving commands and files exfiltration.
A whole chronicle has been printed by Probability Fabric, which supplied detailed files regarding the malware, distribution, code diagnosis, C2 verbal change, their broken-down targets, new functionalities, and other files.
Indicators of Compromise
Xenomorph Samples
| HASH (SHA256) | APP NAME | PACKAGE NAME |
| e2646afca109162f66b117ca8a7feed0272ab6d8822132dafd2d54d7553cbfde | Chrome | com.peace.frequent |
| 259e88f593a3df5cf14924eec084d904877953c4a78ed4a2bc9660a2eaabb20b | Chrome | com.mtnyrvojt.qtbxtwjnq |
| 257f041d1b6ed82808cd8ef07ec84cf141c38e5374b654de46879a3bc180c79c | Chrome | com.uhtvqsutg.igogiciut |
Xenomorph C2 servers
| SERVER URL/IP | ROLE |
| airlinesimulator[.]io | Overlay Server |
| fobocontentplus[.]online | C2 Server |
| fobocontentplus[.]top | C2 Server |
| fobocontentplus[.]region | C2 Server |
| 92l[.]data | Phishing Server |
Guard yourself from vulnerabilities using Patch Manager Plus to instant patch over 850 third-celebration capabilities. Rob earnings of the free trial to be particular that that 100% security.
Source credit : cybersecuritynews.com
