This dangerous Android malware is stealing from 100 banking apps — protect yourself now

Green skull on smartphone screen.
(Image credit: Shutterstock)

The notorious Xenomorph Android malware has once again resurfaced and this time, it’s been upgraded with new capabilities that allow it to target over 100 different banking and crypto apps including 35 U.S. financial institutions.

As reported by BleepingComputer, this banking trojan was first discovered by security researchers at ThreatFabric back in February 2022. Since then, we’ve seen a number of updates to Xenomorph, including one that made the malware modular and more flexible. However, it was also distributed using a dropper called BugDrop that let it bypass security features in Android 13.

Now though, an upgraded version of Xenomorph is being used in a new campaign that targets Android users in the U.S., Canada, Spain, Italy, Portugal and Belgium. This time around, a new “mimic” feature lets the malware act as another app on the best Android smartphones and a “ClickOnPoint” feature allows the cybercriminals behind it to simulate taps at specific places on your phone’s screen.

Since Xenomorph uses overlays to steal your credentials from banking and crypto apps to drain your accounts, this Android malware strain is particularly dangerous and one you want to avoid falling victim to at all costs.

Using Chrome updates as a lure

According to ThreatFabric, the cybercriminals behind this new campaign have decided to use phishing sites to infect unsuspecting Android users with the Xenomorph malware.

These phishing sites inform potential victims that the version of Chrome they’re using is obsolete and needs to be updated immediately. There’s a button at the bottom of the page that says “Upgrade Chrome” but instead of downloading a new version of Google’s browser, it leads to a malicious APK file. This APK file actually contains the Xenomorph malware which they’ve just unwittingly installed on their smartphone.

As with past versions of this banking trojan, it continues to use overlays to steal user credentials from banking and crypto apps. These overlays appear on top of legitimate apps and look identical to them. However, just like with credit card skimmers, when a user enters any information, it ends up in the hands of hackers instead. Here are just some of the banking and crypto apps it targets (with the full list available on TheatFabric’s blog post):

  • Chase
  • Citi
  • Bank of America
  • Capital One
  • PNC
  • Santander
  • TD Bank
  • Wells Fargo
  • Coinbase
  • Binance
  • MetaMask

It’s worth noting that the overlays that come preloaded with the Xenomorph malware are different depending on where a victim is physically located.

How to stay safe from Android malware

A hand holding a phone securely logging in

(Image credit: Google)

Regarding this new Xenomorph campaign, victims could have avoided having their devices infected with this malware if they hadn’t fallen for the Chrome update lure. As most Android users know, app updates come directly from the Google Play Store and never need to be downloaded from a website nor installed as a separate APK file.

Likewise, to avoid falling victim to Android malware, you shouldn’t sideload apps and should instead only install new apps from official Android app stores like Google Play, the Amazon Appstore or the Samsung Galaxy Store. Sideloaded apps don’t go through the same rigorous security checks that apps uploaded to official app stores do.

For additional protection, you should also consider installing one of the best Android antivirus apps on your smartphone. While Google Play Protect can scan your new and existing apps for malware, it just doesn’t offer the same features that paid Android antivirus apps do. 

The Xenomorph malware is still relatively new but we’ve already seen multiple updates and new versions released. As such, cybercriminals and hackers will likely continue to use this malware strain in their attacks and potentially add even more overlays for popular banking and crypto apps to it. 

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

  • @KevinWong_2016
    "As most android users know app updates always come from google play and never come from a website" There are many safe apps that can't be on google play because they violate policy and they have to be updated via websites💀