This dangerous Android malware is stealing from 100 banking apps — protect yourself now

Green skull on smartphone screen.
(Image credit: Shutterstock)

The notorious Xenomorph Android malware has once again resurfaced and this time, it’s been upgraded with new capabilities that allow it to target over 100 different banking and crypto apps including 35 U.S. financial institutions.

As reported by BleepingComputer, this banking trojan was first discovered by security researchers at ThreatFabric back in February 2022. Since then, we’ve seen a number of updates to Xenomorph, including one that made the malware modular and more flexible. However, it was also distributed using a dropper called BugDrop that let it bypass security features in Android 13.

Now though, an upgraded version of Xenomorph is being used in a new campaign that targets Android users in the U.S., Canada, Spain, Italy, Portugal and Belgium. This time around, a new “mimic” feature lets the malware act as another app on the best Android smartphones and a “ClickOnPoint” feature allows the cybercriminals behind it to simulate taps at specific places on your phone’s screen.

Since Xenomorph uses overlays to steal your credentials from banking and crypto apps to drain your accounts, this Android malware strain is particularly dangerous and one you want to avoid falling victim to at all costs.

Using Chrome updates as a lure

According to ThreatFabric, the cybercriminals behind this new campaign have decided to use phishing sites to infect unsuspecting Android users with the Xenomorph malware.

These phishing sites inform potential victims that the version of Chrome they’re using is obsolete and needs to be updated immediately. There’s a button at the bottom of the page that says “Upgrade Chrome” but instead of downloading a new version of Google’s browser, it leads to a malicious APK file. This APK file actually contains the Xenomorph malware which they’ve just unwittingly installed on their smartphone.

As with past versions of this banking trojan, it continues to use overlays to steal user credentials from banking and crypto apps. These overlays appear on top of legitimate apps and look identical to them. However, just like with credit card skimmers, when a user enters any information, it ends up in the hands of hackers instead. Here are just some of the banking and crypto apps it targets (with the full list available on TheatFabric’s blog post):

  • Chase
  • Citi
  • Bank of America
  • Capital One
  • PNC
  • Santander
  • TD Bank
  • Wells Fargo
  • Coinbase
  • Binance
  • MetaMask

It’s worth noting that the overlays that come preloaded with the Xenomorph malware are different depending on where a victim is physically located.

How to stay safe from Android malware

A hand holding a phone securely logging in

(Image credit: Google)

Regarding this new Xenomorph campaign, victims could have avoided having their devices infected with this malware if they hadn’t fallen for the Chrome update lure. As most Android users know, app updates come directly from the Google Play Store and never need to be downloaded from a website nor installed as a separate APK file.

Likewise, to avoid falling victim to Android malware, you shouldn’t sideload apps and should instead only install new apps from official Android app stores like Google Play, the Amazon Appstore or the Samsung Galaxy Store. Sideloaded apps don’t go through the same rigorous security checks that apps uploaded to official app stores do.

For additional protection, you should also consider installing one of the best Android antivirus apps on your smartphone. While Google Play Protect can scan your new and existing apps for malware, it just doesn’t offer the same features that paid Android antivirus apps do. 

The Xenomorph malware is still relatively new but we’ve already seen multiple updates and new versions released. As such, cybercriminals and hackers will likely continue to use this malware strain in their attacks and potentially add even more overlays for popular banking and crypto apps to it. 

More from Tom's Guide

TOPICS
Anthony Spadafora
Managing Editor Security and Home Office

Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
Green skull on smartphone screen.
This Android banking trojan steals passwords to take over your accounts — and all it takes is a single text message
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
and image of the Google Chrome logo on a laptop
Google Chrome at risk from shape-shifting browser extensions — how to stay safe
One phone with skull and crossbones on screen among several other clean-looking phones.
Malicious iPhone apps are spreading screenshot-reading malware on the Apple App Store — how to stay safe
A hacker typing quickly on a keyboard
Hackers are posing as Apple and Google to infect Macs with malware — don’t fall for these fake browser updates
Latest in Online Security
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
An FBI agent typing on a computer
FBI issues warning to millions of Americans to avoid these websites that can steal your passwords and banking info
How to delete TikTok
TikTok has rolled out a vital new security feature — here's how to use it
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users
Latest in News
NYTimes Connections
NYT Connections today hints and answers — Thursday, March 20 (#648)
A phone with the Plex logo in front of an out-of-focus background of movie posters
Yikes! Plex is getting a price hike and this key feature is going behind a pay wall
back of Iris Pixel 9a
Google Pixel 9a pre-orders delayed due to 'component quality issue' — here's when you can get one
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Sony A95K QD-OLED TV in front of windows in a living room
This new TV breakthrough looks like a game-changer for OLED TVs
Apple iPhone 16 & 16 Plus hands-on.
Forget USB-C — a truly portless iPhone just got the all-clear from the EU
  • @KevinWong_2016
    "As most android users know app updates always come from google play and never come from a website" There are many safe apps that can't be on google play because they violate policy and they have to be updated via websites💀
    Reply