You will also be interested
[EN VIDÉO] Cyber espionage: what are the threats? Interference in elections, theft of industrial data, hacking into military systems… Cyber espionage has taken off in the last two decades.
A new malware banking on android targets customers of 56 banks in Europe. Discovered by cybersecurity company ThreatFabricXenomorph hides behind seemingly innocuous apps and tries to steal the Passwords and even the codes for single use. It would be inspired by a previous banking malware known asAlien.
Xenomorph is a Trojan horse distributed in the Play store of google. He hides behind several fake appsincluding one called Fast Cleaner. The latter, who offers to clean up the smart phone, has been downloaded by more than 50,000 people. It actually contains a module called Gymdrop which connects to a server to download and install the malware. This is how it bypasses Play Store security. These servers also contain two other malware: Alien, the predecessor of Xenomorph, and ExobotCompact.D. These two malwares are already well known, but Xenomorph is completely new.
A webpage displayed on top of the banking app
After installation, the malware requests permissions for accessibility services, which it then hijacks to grant itself the permissions it needs. It transmits the list of all the elements installed on the device in order to download the corresponding packages. When the user opens his application bank, the malware is notified thanks to the accessibility services. It then displays a web page on top of the application designed to have theair identical. The user then enters his identifiers without realizing that he is not in the right application.
Xenomorph is also able to outsmart double authentication by intercepting notifications and SMS to retrieve single-use codes. Malware records lots of information, and could be used to record all text input and even monitor other applications of the infected mobile.
Malware still under development
The researchers say Xenomorph is still in an early stage of development, and the code contains many commands that have yet to be implemented. The name of these commands suggests that in the future it may know how to update, uninstall, or even disable other applications. It could thus block any antivirus and then disappear without a trace once it has stolen the victim’s password.
The malware is currently targeting bank applications in Spain, Portugal, Italy and Belgium, and is also targeting other applications such as messaging and wallets. cryptocurrencies. Researchers currently assign it a medium threat level. However, once the program is fully developed, it has the potential to pose a similar high threat level to other banking malware modern on Android.
Interested in what you just read?