A new version of the dangerous Android malware Xenomorph has been discovered in the wild, adding many new features, including the ability to steal credentials from 400 different banking apps.

The original Xenomorph malware, first discovered by cybersecurity firm ThreatFabric last February, was a banking Trojan distributed via malicious apps in the Google Play store. The malware was particularly dangerous because of the way it used an overlay of 56 European banking apps to steal users' credentials and drain their accounts.

Xenomorph v2 was then released in June 2022 with a major code overhaul that made the malware more modular and flexible. But now, as reported by BleepingComputer (opens in new tab), a third version of this malware has again been discovered by ThreatFabric.

This new version targets 400 banks and financial institutions in the United States, Canada, India, and numerous European countries, including Chase, Citibank, American Express, ING, HSBC, Wells Fargo, and National Bank of Canada A full list of banking apps targeted by Xenomorph v3 is available in the ThreatFabric report (opens in new tab).

Xenomorph v3 adds new features that further increase the threat, including the ability to automatically steal data such as credentials and account balances, as well as perform banking transactions and money transfers. [ThreatFabric, in a report on the matter, explains that "Xenomorph is now able to fully automate the entire fraud chain, from infection to money transfer," making it one of the most advanced and dangerous Android malware Trojans in circulation today. It has become one of the most advanced and dangerous Trojan horses; in addition to 400 banks and financial institutions, it can now steal cryptocurrency from several crypto wallets.

After examining samples of Xenomorph v3, ThreatFabric discovered a dedicated website promoting the latest version of this malware. This suggests that Hadoken Security, the creator of this malware, aims to distribute this malware using a malware-as-a-service (MaaS) business model. The malware would therefore be sold to other cybercriminals through a subscription model and used in attacks. [At the moment, Xenomorph v3 is distributed through the "Zombinder" platform in the Google Play Store. This platform is particularly dangerous because the hackers who created it have found a way to add malware to legitimate Android apps. Unlike malicious apps, these are regular Android apps that contain malicious payloads.

With the Xenomorph v3 ATS framework, cybercriminals can automatically extract credentials from infected Android smartphones, check account balances, steal money, etc.

The malware's ATS framework also allows it to bypass multi-factor authentication (MFA), which is typically used to block this type of automated transaction. This can be bypassed by using authentication apps such as Google Authenticator or Microsoft Authenticator instead of using SMS text messages for MFA in banking apps. However, not all banks currently offer this option.

Xenomorph v3 also includes a cookie thief that can steal cell phone cookies from the Android Cookie Manager. This is done by launching a browser window for a legitimate service and tricking the victim into entering credentials. With these session cookies in hand, hackers can hijack web sessions and take over accounts.

Xenomorph v3 is a very serious threat that can drain funds from bank accounts and take over other online accounts because it automatically steals passwords.

It is currently distributed through Zombinder in the Play Store, so be very careful when installing new apps on your best Android phone, even if you got it from the official app store. At the same time, it is recommended that you limit the overall number of apps installed on your phone.

When installing a new app, check the ratings and read reviews on the Play Store first. From here, you also want to look for external reviews on other sites, and video reviews are even better because you can see the app in action. Finding out the publisher of the app can also help you determine if it is legit or not.

One way to protect your Android phone is to make sure you have Google Play Protect enabled; Google Play Protect will scan your existing and newly installed apps for malware. For added protection, you can always install one of the best Android antivirus apps with it.

This probably won't be the last time you hear about Xenomorph v3. Especially since its creators are trying to make it a paid service for other cybercriminals to use in their attacks.