This Android malware hid inside an app downloaded 50,000 times from Google Play Store

Designed to steal usernames and passwords for banking apps, the malware was hidden in apps in the Google Play Store.
Written by Danny Palmer, Senior Writer

A new form of Android banking trojan malware targets customers of 56 different European banks and has been downloaded by over 50,000 users in the space of a few weeks. 

Detailed by cybersecurity researchers at ThreatFabric who've dubbed it 'Xenomorph' because of links to another trojan called Alien, this malware first appeared this month. The malware is designed to steal usernames and passwords to access bank accounts and other sensitive personal information. 

Like many other forms of Android malware, the malware has apparently managed to bypass protections and gets onto smartphones via apps in the Google Play Store.

SEE: Cybersecurity: Let's get tactical (ZDNet special report) 

One of the apps identified was a cleaner app that promised to help speed up a device by removing unused clutter: the app has been downloaded over 50,000 times.

The app appeared to offer the functionality it advertises, but it also delivers the malware, which steals usernames and passwords with the aid of fake overlays that activate when the victim tries to log in to banking apps. The overlay is displayed in place of the real login screen, meaning any information entered is sent to the attackers. 

Banks in Spain, Portugal, Italy and Belgium are currently among those being targeted. The malware is also equipped with overlays that can steal passwords for email accounts and cryptocurrency wallets. 

The malware can also intercept SMS and app notifications to help steal authentication needed to bypass any multi-factor authentication that has been applied. 

ThreatFabric has linked Xenomorph to another Android trojan malware, Alien, because of design similarities. The two forms of malware use the same HTML resource page to trick victims into granting accessibility services privileges, which they abuse to help take control of the device. 

In addition to this, both have a similar style of state-tracking through the use of the 'SharedPreferences' file – and in both cases, the file has been given the same name, ringO, which is the name of the suspected original developer of Alien. 

Researchers also note that both forms of malware share the same "peculiar" logging strings, some of which go back to Cerberus, the precursor to Alien.  

The researchers note that the malware still appears to be in the early stages of development, as many commands present in the code aren't active yet. There's also the potential for the malware to target banks in a wider range of countries. 

"Currently the set of capabilities of Alien is much larger than the one of Xenomorph. However, considering that this new malware is still very young and adopts a strong modular design, it is not hard to predict new features coming in the near future," said researchers. 

A ThreatFabric spokesperson told ZDNet that they've flagged the malicious app to Google for it to be removed from the Play Store. ZDNet contacted Google about the malicious app and it was removed shortly afterwards.

"The safety and security of users is our top priority, and if we discover an app that violates our policies, we take action," a Google spokesperson told ZDNet.


Editorial standards