Xenomorph is a new Android banking Trojan that targets at least 56 different European banks and was distributed through the Google Play store more than 50,000 times.

The FastCleaner utility on Google Play (now removed by Google) claimed to offer its users a means to speed up their Android device by removing unused clutter and removing battery optimisation blocks.  However, sometime after installation, FastCleaner activates its Gymdrop module which downloads and installs malware onto the device – and one of the malware packages is the new Xenomorph banking trojan.

Once activated on the target device, Xenomorph starts harvesting device information and existing SMS Messages and intercepting notifications and new SMS messages.  When a user attempts to visit a banking site targeted by the malware, it abuses the Android Accessibility features to place an overlay on the screen which captures the login credentials and uses its ability to intercept SMS message to capture 2-factor authentication tokens.

Given that Android accounts for 87% of the global handset market, it is unsurprising that threat actors are targeting the largest possible pool of victims with their malware.  By using apps which appear benign at first and only later download and install malicious modules they are able to bypass the protections offered by the Google Play store – for now.

When an Android application is installed, it asks for various permissions which the user must agree to in order for the app to function correctly.  Android users should be very wary of any app that requests the ability to Fully Control the device, use Device Admin permissions or make use of Accessibility Features as these are easily abused by malware.