Xenomorph Android malware can steal passwords from 400 banking apps — protect yourself now

banking trojan on phone illustration
(Image credit: Shutterstock)

A new version of the dangerous Xenomorph Android malware has been spotted in the wild which includes a number of new capabilities, including the ability to steal credentials from 400 different banking apps.

First discovered by the cybersecurity firm ThreatFabric back in February of last year, the original Xenomorph malware was a banking trojan distributed via malicious apps on the Google Play Store. What made it particularly dangerous is the way in which it used overlays of 56 European banking apps to steal user credentials and drain their accounts.

Then in June 2022, Xenomorph v2 was released with a major code overhaul that made the malware modular and more flexible. Now though, as BleepingComputer reports, a third version of the malware has once again been discovered by ThreatFabric.

This new version targets 400 banks and financial institutions from the U.S., Canada, India and a number of European countries including Chase, Citibank, American Express, ING, HSBC, Wells Fargo, National Bank of Canada and more. You can find the full list of banking apps targeted by Xenomorph v3 in ThreatFabric’s full report.

Xenomorph v3

Xenomorph v3 adds loads of new features that make it an even greater threat, including the ability to automatically steal data like credentials and account balances, but it can also perform banking transactions and transfer funds.

In its report on the matter, ThreatFabric explains that “Xenomorph is now able to completely automate the whole fraud chain, from infection to funds exfiltration” which makes it one of the most advanced and dangerous Android malware trojans currently in circulation. Besides 400 banking and financial institutions, it can also now steal cryptocurrency from several crypto wallets. 

Android malware botnet attack

(Image credit: Shutterstock)

After looking at samples of Xenomorph v3, ThreatFabric discovered a dedicated website advertising the latest version of the malware. This hints at the fact Hadoken Security, which created the malware, aims to distribute it using a malware-as-a-service (MaaS) business model. As such, it will be sold to other cybercriminals through a subscription model to be used in their attacks.

At the moment though, Xenomorph v3 is currently being distributed through the ‘Zombinder’ platform on the Google Play Store. This platform is particularly dangerous due to the fact that the hackers who created it have found a way to add malware to legitimate Android apps. Unlike malicious apps, these are regular Android apps that contain a malicious payload.

Bypassing MFA and stealing cookies

If that wasn’t bad enough, Xenomorph v3’s ATS framework allows cybercriminals to automatically extract credentials, check account balances, steal money and more from an infected Android smartphone.

The malware’s ATS framework also allows it to bypass multi-factor authentication (MFA) which would normally be used to block these types of automated transactions. Instead of using SMS text messages for MFA in your banking apps, you can get around this by using an authenticator app like Google Authenticator or Microsoft Authenticator instead. However, not all banks currently offer this option.

Xenomorph v3 even includes a cookie stealer that can take your phone’s cookies from the Android Cookie Manager. It does this by launching a browser window of a legitimate service and tricking a victim into entering their credentials. With these session cookies in hand, a hacker can then hijack a web session and take over your accounts.

How to stay safe from Android malware

A hand holding a phone securely logging in

(Image credit: Google)

If you haven’t caught on yet, Xenomorph v3 is a very serious threat that can drain your bank accounts and take over your other online accounts, since it automatically steals passwords.

It’s currently being distributed using Zombinder on the Play Store, so you need to be extremely careful when installing new apps on the best Android phones, even if they do come from official app stores. At the same time, it’s a good idea to limit the number of apps you have installed on your phone overall.

When installing new apps though, you want to check their ratings and read the reviews on the Play Store first. From here, you also want to look for external reviews on other sites and video reviews are even better since you can see an app in action. Looking into an app’s publisher is a good idea as well as this can help you determine whether or not they’re legitimate.

As for protecting your Android phone, you want to make sure that Google Play Protect is enabled since it scans your existing apps and any new ones you install for malware. For additional protection you can always install one of the best Android antivirus apps alongside it though.

This likely won’t be the last time we hear about Xenomorph v3, especially since its creators are looking to make it a paid service for other cybercriminals to use in their attacks.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.