"These Two Google Play Store Apps Spotted Distributing Xenomorph Banking Trojan"

Google has removed two new malicious dropper apps discovered on the Google Play Store, one of which masqueraded as a lifestyle app and was caught distributing the Xenomorph banking malware. According to Zscaler ThreatLabz researchers, Xenomorph is a Trojan that steals credentials from banking applications on users' devices. It can also intercept SMS messages and notifications, allowing it to steal one-time passwords and multi-factor authentication (MFA) requests. The cybersecurity firm also discovered an expense tracker app that displayed similar behavior, but it was unable to extract the URL used to retrieve the malware artifact. Both apps serve as droppers, which means they are harmless and serve as a conduit to retrieve the actual payload, which in the case of one app, is hosted on GitHub. Xenomorph, first identified by ThreatFabric in February, is known to exploit Android's accessibility permissions to perform overlay attacks, in which fake login screens are displayed on top of legitimate bank apps in order to steal the victim's credentials. Furthermore, the malware uses the description of a Telegram channel to decode and construct the command-and-control (C2) domain used to receive additional commands. This article continues to discuss the distribution of the Xenomorph banking Trojan via two new malicious dropper apps on the Google Play Store.

THN reports "These Two Google Play Store Apps Spotted Distributing Xenomorph Banking Trojan"