![]() “However, the style of variable naming used by Xenomorph is very reminiscent of Alien, despite being potentially even more detailed.” “This file is commonly used to track the state of an application,” researchers noted. These include the “use of the same HTML resource page to trick victims into granting the Accessibility Services privileges.” And further, Xenomorph uses state-tracking through the use of the “SharedPreferences” file. ThreatFabric’s analysis uncovered evidence of code reuse that links Xenomorph to the known Alien malware, which is a descendent of the infamous Cerberus malware. ![]() Meanwhile, the malware also performs the aforementioned logging: “All the information gathered is only displayed on the local device logs, but in the future a very minor modification would be enough to add keylogging and Accessibility logging capabilities to the malware,” researchers warned. After that, Xenomorph periodically polls for new commands from the C2.įor now, the commands allow the malware to log SMS messages, list the web injects sent by the C2, enable or disable intercept notifications, and enumerate installed apps. That first message contains the initial information exfiltrated about the device, according to ThreatFabric. “The list of overlay targets returned by Xenomorph includes targets from Spain, Portugal, Italy and Belgium, as well as some general purpose applications like emailing services, and cryptocurrency wallets,” according to ThreatFabric.Īfter obtaining Accessibility Services privileges, Xenomorph will first register and verify itself with the C2, by sending a request using the legitimate, open-source project Retrofit2 (a type-safe REST client for Android, Java and Kotlin developed by Square). Based on what targeted applications are present, it goes on to download the corresponding overlays to inject. More specifically, once installed, the malware enumerates and sends back a list of installed packages on the infected device. “If the application opened is part of the list of targets, then Xenomorph will trigger an overlay injection and show a WebView Activity posing as the targeted package.” “Once the malware is up and running on a device, its background services receive Accessibilty events whenever something new happens on the device,” they explained in a Monday posting. In terms of its main overlay attack vector, Xenomorph is powered by Accessibility Services privileges, the researchers found. Inside the Shell: Xenomorph’s Core Functionality “This is not an uncommon lure, and we have seen malware families like Vultur and Alien being deployed by such application,” the researchers said. Sporting 50,000 installations, it purported to remove unused clutter and battery optimization blocks for better device processing times. ![]() ThreatFabric observed the malware being loaded by a dropper hiding in a Google Play application called “Fast Cleaner” (since reported to Google). And, they added, “It would be unsurprising to see this bot sport semi-automatic transfer system (ATS) capabilities in the very near future.”ĪTS is the process of automatically initiating wire transfers from the victims without needing to use credentials, thus bypassing 2FA and all anti-fraud measures. It also uses SMS and notification-interception to log and use potential two-factor authentication (2FA) tokens, according to ThreatFabric. However, they noted that it’s already making a mark on the banking trojan front: “Xenomorph is already sporting effective overlays and being actively distributed on official app stores.” That advanced functionality is not yet implemented, so the researchers have deemed Xenomorph as still under development. “The information stored by the logging capability of this malware is very extensive, and if sent back to the C2 server, could be used to implement keylogging, as well as collecting behavioral data on victims and on installed applications, even if they are not part of the list of targets.” “The Accessibility engine powering this malware, together with the infrastructure and command-and-control (C2) protocol, are carefully designed to be scalable and updatable,” the researchers warned in a Monday posting.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |