Xenomorph hunts cryptocurrency logins on Android

Cryptocurrency owners should take heed of warnings related to Xenomorph malware—Bleeping Computer reports that the most recent version of Xenomorph now targets various cryptocurrency wallets using fake browser update messaging as bait.

Xenomorph is roughly a year old, first springing to prominence after an installation campaign via the Google Play store resulted in more than 50,000 hijacked Android phones. At the time, Xenomorph crept into the official Android store via false pretences.

As with so many mobile scams, pretending to be a system cleaning tool worked like a charm and it bypassed some security measures by grabbing the rogue component only after installation. In other words: Google Play wouldn’t have noticed anything untoward, because at time of initial installation, everything looked normal.

The malware abused permissions to log SMS, intercept notifications, and use overlays to grab login details for up to 56 different banks.

This on its own is already very malicious behaviour. A year later, Xenomorph is back with an impressive sequel in tow. It would be more accurate to say that this is part 5, after several revisions over the past 12 months which have seen Xenomorph be distributed in new ways and include new features, like multi-factor authentication bypass and cookie stealing.

The new attack involves the use of that well-worn tradition, the fake browser update landing page. Bogus “Your Chrome needs updating” pages convince visitors to download and install the new rogue Android file.

At this point, Xenomorph deploys its most favoured tactic: That of the bogus overlay. These overlays mimic various banks and (now) logins for multiple cryptocurrency services like Metamask.

We’ve warned of the dangers of handing over your cryptocurrency secret recovery phrase to random websites and extensions many times. Even folks who are well versed in these kinds of scams may not realise a genuine looking overlay is coming from an entirely unrelated Android installation.

This latest version is said to target “more than 100 different targets” making use of crafted pages to try and swipe the user’s details. It also includes a so-called “mimic” feature which allows the malware to launch bogus activity from otherwise legitimate services. As Bleeping Computer notes, this technique means the fraudsters don’t need to hide icons from the app launcher which many security tools would note as potentially dubious behaviour.

Xenomorph does a lot of this, like simulating user taps at specific screen locations and preventing the system from going to sleep, which is a boon for staying in contact with the Command & Control setup issuing orders.

The researchers who made these discoveries also mention that the infrastructure hosting the rogue files contained additional malware, malware loaders, and Windows information stealers.

There’s a good chance some of these other files may already be in circulation, or could be at some point in the near future. If you receive browser update warnings while looking at websites, don’t hit that download button.

Browser updates don’t typically announce the need to do so in the middle of your browser, and especially not when surfing. Notifications for updates are placed away from the browser window, typically inside the user interface of the browser itself. For example, to the right of your URL bar. Browsers will also tend to update automatically without you doing anything. If you want to know whether or not an update is needed, clicking into “Help” or “About” will usually get the job done.

Whether on mobile or desktop, we strongly recommend keeping your updates set to automatic. Let the browser do its job and help to keep you secure, and do your bit by ignoring any popups or in-browser messaging with an urgent notification about supposed browser updates.


We don’t just report on Android security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your Android devices by downloading Malwarebytes for Android today.

https://blog.malwarebytes.com/feed/