Cryptocurrency Fraud , Fraud Management & Cybercrime , Governance & Risk Management

Cryptocurrency Wallets Targeted by Alien Malware Variant

A Fresh Banking Trojan, Dubbed Xenomorph, Triggers Overlay Attack to Steal Funds
Cryptocurrency Wallets Targeted by Alien Malware Variant

Xenomorph, a new banking Trojan that has targeted 56 European banks and is linked to the Alien Trojan family, has been detected in the Google Play Store. More than 50,000 installations of the malicious app were discovered.

See Also: Live Webinar | How To Meet Your Zero Trust Goals Through Advanced Endpoint Strategies

The new Trojan was named after the alien queen in the movie franchise "Alien." Researchers say Xenomorph is "radically different than its predecessor" but predict it was developed by the same person or someone familiar with the coding.

Netherlands-based security research firm ThreatFabric, which first discovered Xenomorph, shared updated research with Information Security Media Group in observations on overlay attacks. While Xenomorph is still actively targeting banks, its developers have added the ability to target cryptocurrency wallets, the researchers found.

Like many other Android banking Trojans, the researchers say, Xenomorph's main attack vector is an overlay attack mechanism, where an attacker places a window over a running app to fool its victims into revealing personal identifiable information to perform fraud. The developers combined this feature with the ability to use SMS and call interception, allowing attackers to log and use two-factor authentication tokens. They say the app will harass the user with insistent requests for Accessibility Services privileges until those privileges are granted.

"The Accessibility engine powering this malware, together with the infrastructure and C2 protocol, are carefully designed to be scalable and updatable," researchers say.

The researchers determined the Fast Cleaner application, which presented itself as a speed-boosting app that clears storage space, belonged to the GymDrop family, previously seen deploying an Alien A payload. Using keylogging capabilities once deployed, the threat actor can spy on a user and collect additional data that can be used to launch more aggressive attacks in the future.

"Mobile banking malware we see nowadays is closer to what we used to see in the desktop threat landscape, with better back-end and distribution infrastructure," says Dario Durando, Android malware analyst for ThreatFabric.

Distribution is highest in two areas, according to Durando: smishing and Google Play droppers.

Alien Android Family

According to ThreatFabric, the alleged designer took credit for the Alien variant in a darknet forum. Alien, a popular choice for threat actors seeking access to tools to deploy malware-as-a-service campaigns, appears to be an offshoot of Cerberus malware, which is no longer active.

Alien malware has a laundry list of capabilities similar to those of Xenomorph: key logging, remote access and actions, push notifications and the ability to hide what the app is doing, among many other features.

Overlay Attacks in the Crypto Sphere

Durando says cryptocurrency platforms fell in the top three spots for overlay attacks, based on updated analysis from April 2021 to February 2022. Other targets included PayPal and mobile banking apps in countries such as Turkey, Poland and Germany.

Overlay attack targets and frequency (Source: Threat Fabric)

Randy Pargman, a former senior computer scientist for the Cyber Task Force in Seattle, says cryptocurrency exchanges are becoming more attractive to threat actors, particularly if they can use a component that monitors a device's clipboard. This could be a potential risk of the C2C monitoring aspects of malicious apps, such as Xenomorph, he says.

Because of the length of cryptocurrency addresses, Pargman says, if a user copies and pastes the address, they may not be aware if it's been maliciously altered. "It's another thing end users of cryptocurrency really need to watch out for."

Bypassing Authentic App Stores

Attackers using the Google Play Store to launch attacks have been more prevalent, as seen with the re-emergence of BRATA, a remote access Trojan that now has a "kill mode," and a Vultur-dropping phony 2FA app that has surfaced in recent months.

In order to combat these attacks, MITRE ATT&CK framework recommends reporting any fraudulent activity as soon as possible and says developers or third-party services can scan for unauthorized apps. But sometimes threat actors bypass an authentic app store's security by submitting a fully functioning app, such as the phony 2FA application. If the app gets accepted, then they might alter it to add malicious functionality.

Pargman, who is also the vice president of threat hunting and counterintelligence for threat detection firm Binary Defense, says multifactor authentication is still the best tool to deter threat actors. But, he says, attackers are becoming more innovative about getting around security controls.

"Threat actors are getting more and more creative about how to get around [2FA]," he says. "That's why you see apps like Vultur trying to steal data and trick people into [accessing] two-factor authentication."

Threat actors have also been monitored stealing account information from legitimate developers on darknet forums, Durando adds, in an effort to upload malicious apps to the Google Play Store and other authentic app stores.


About the Author

Devon Warren-Kachelein

Devon Warren-Kachelein

Former Staff Writer, ISMG

Warren-Kachelein began her information security journey as a multimedia journalist for SecureWorld, a Portland, Oregon-based cybersecurity events and media group. There she covered topics ranging from government policy to nation-states, as well as topics related to diversity and security awareness. She began her career reporting news for a Southern California-based paper called The Log and also contributed to tech media company Digital Trends.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.