Intro

In February 2022, ThreatFabric came across a new Android banking Trojan, which we dubbed Xenomorph. The name comes from its clear ties with another infamous banking Trojan, Alien, from which Xenomorph adopts class names and interesting strings.

Based on the intelligence gathered, users of 56 different European banks are among the targets of this new Android malware trojan, distributed on the official Google Play Store, with more than 50.000 installations.

Just like the monster protagonist of the famous Ridley Scott’s franchise, this malware shares some aspects with its predecessor. However, despite its obvious ties to one of the most wide-spread malware of the last two years, Xenomorph is radically different from Alien in functionalities. This fact, in addition to the presence of not implemented features and the large amount of logging present on the malware, may suggest that this malware might be the in-progress new project of either the actors responsible with the original Alien, or at least of someone familiar with its code base. However, this is only speculation at the moment.

Distribution

As we have previously discussed, threat actors are increasingly focusing their efforts into sneaking their way onto the Google Play Store (MITRE T1475).

Google has seemingly taken some action to reduce the amount of malicious applications on the app market, but often these efforts are not enough to stop criminals from reaching the store. As part of our daily threat hunting, ThreatFabric analysts encounter and report malicious applications on the store to Google.

One of the applications ThreatFabric discovered was posing as “Fast Cleaner”, an application aiming at speeding up the device by removing unused clutter and removing battery optimization blocks. The application itself seemed successful, with more than 50.000 installations reported on Google Play. This is not an uncommon lure, and we have seen malware families like Vultur and Alien being deployed by such application.

Upon analysis, we recognized this application as belonging to the Gymdrop dropper family. Gymdrop is a dropper family discovered by ThreatFabric in November 2021. Previously it was observed deploying a Alien.A payload. From the configuration downloaded by the dropper, ThreatFabric was able to confirm that this dropper family continues to adopt this malware family as its payload. However, contrary to the past, the server hosting the malicious code also contained two other malware families, which were also returned instead of Alien, based on specific triggers.

Firstly, we observed samples belonging to a new wave of ExobotCompact.D, which has been living a new resurgence in the past few weeks, posing as Google play store applications, as well as different banking applications.

However, despite being the first time we observed ExobotCompact.D and Alien.A being distributed by the same dropper infrastructure, what surprised us the most was the presence of a totally new malware family. This is how ThreatFabric discovered Xenomorph.

Capabilities

Here is a comprehensive list of Xenomorph capabilities:

int v0 = arg4.getEventType();
switch (v0) {
    case 1: {
        UtilGlobal.Log("onAccessibilityEvent", "### type: TYPE_VIEW_CLICKED");
        break;
    }
    case 2: {
        UtilGlobal.Log("onAccessibilityEvent", "### type: TYPE_VIEW_LONG_CLICKED");
        break;
    }
    case 4: {
        UtilGlobal.Log("onAccessibilityEvent", "### type: TYPE_VIEW_SELECTED");
        break;
    }
    case 8: {
        UtilGlobal.Log("onAccessibilityEvent", "### type: TYPE_VIEW_FOCUSED");
        break;
    }
    ...
    case 0x20: {
        UtilGlobal.Log("onAccessibilityEvent", "### type: TYPE_WINDOW_STATE_CHANGED");
        this.windowStateChangedEvent(arg4); // function responsible for injections
        break;
    }
    case 0x40: {
        UtilGlobal.Log("onAccessibilityEvent", "### type: TYPE_NOTIFICATION_STATE_CHANGED");
        this.notificationStateChanged(arg4); // function responsible for logging notifications
        break;
    }
    ...
}

Modus Operandi

The main attack vector for Xenomorph is the classic overlay attack powered by Accessibility Services privileges. Once the malware is up and running on a device, its background services receive accessibilty events whenever something new happens on the device. if the application opened is part of the list of targets, then Xenomorph will trigger an overlay injection and show a WebView Activity posing as the targeted package. Here as a few examples of triggered overlays:

This feature is performed by the code you see in the snippet underneath:

protected void onStart() {
    super.onStart();
    this.context = this;
    OverlayInjectResource v0 = UtilGlobal.getPackageInjection(this, UtilGlobal.SettingsRead(this, "AITG"));
    this.resource = v0;
    this.hideStop = true;
   if (!this.stopActivity && v0 != null) {
       try {
            WebView v0_2 = new WebView(this);
            this.wv = v0_2;
            v0_2.getSettings().setJavaScriptEnabled(true);
            this.wv.setScrollBarStyle(0);
            this.wv.setWebViewClient(new MyWebViewClient(null));
            this.wv.setWebChromeClient(new MyWebChromeClient(null));
            this.wv.addJavascriptInterface(new WebAppInterface(this), "Android");
            String v3 = this.resource.getPageResource(this);
            this.wv.loadDataWithBaseURL(null, v3, "text/html", "UTF-8", null);
            this.setContentView(this.wv);
        } catch (Exception v0_1) {
            v0_1.printStackTrace();
        }

return;
    }
}

In addition, the malware is able to abuse Accessibility Services to log everything that happens on the device. At the moment of writing, all the information gathered is only displayed on the local device logs, but in the future a very minor modification would be enough to add keylogging and Accessibility logging capabilities to the malware.

Targets

As a first step, the malware sends back the list of installed packages on device, and based on what targeted application is present on the device, it downloads the corresponding overlays to inject. The list of overlay targets returned by Xenomorph includes targets from Spain, Portugal, Italy, and Belgium, as well as some general purpose applications like emailing services, and cryptocurrency wallets.

C2 Communication & Commands

For its C2 communication, Xenomorph relies on the open-source project Retrofit2.

Retrofit is a type-safe REST client for Android, Java and Kotlin developed by Square. The library provides a powerful framework for authenticating and interacting with APIs and sending network requests with OkHttp.

NOTE : ThreatFabric wants to explicitly mention that RetroFit is a legitimate and legal product. The developers that created this project have no control over the misuse of their software.

After obtaining Accessibility Services privileges, Xenomorph will first register and verify itself with the C2, by sending a request containing the following information at the endpoint ‘ping’:

{
    "api": "%DEVICE_SDK_NUMBER%",
    "apps": ["%LIST%", "%OF%", "%INSTALLED%", "%APPS%"],
    "imei": "%IMEI%",
    "model": "%MODEL%",
    "numbers": ["%LIST%", "%OF%", "%CONTACTS%"],
    "tag": "%BOT_TAG%",
    "uid": "%UID%"
}

The messages are encrypted with an ever changing AES key and IV, together with an hash of the message to ensure the integrity of the communication. The first message sent to the C2 has the following format and uses an hardcoded testKey. The initial information exfiltrated about the device and displayed above is contained in the tag ‘id’:

{
    "hash": "%BASE64_ENCODED_SHA256%",
    "id": "%ENCRYPTED_DATA%",
    "iv": "%IV_FOR_AES%",
    "type": "request_verify"
}

Following this exchange, the bot can be successfully registered and communicate with the C2. In this stage, the malware will periodically poll for new commands from the C2, receiving the following response:

{
    "type": "get_coms",
    "coms": ["<COMMANDS>"]
}

The value of ‘coms’ can be empty, or it can be any of the values described in the following section.

Commands

The following table contains all the accepted commands that can be sent from the C2:

Endpoints

Here is a list of the endpoints used by Xenomorph to communicate with its C2

Similarities with Alien

Both choices of having a fully modular Accessibility Service engine and the use of Retrofit2 could remind of another powerful Android Banking trojan, S.O.V.A.. However, despite this design similarities, the two families are completely different in implementation. On the other hand, there are many similarities with another Android Banking Trojan, which has been around for more than 2 years now: Alien.

The first similarity between these two families is the use of the same HTML resource page to trick victims into granting the Accessibility Services privileges, which however has been re-used by many families before Xenomorph.

This new malware also uses a very similar style of state-tracking through the use of the ‘SharedPreferences’ file. This file is commonly used to track the state of an application. However, the style of variable naming used by Xenomorph is very reminiscent of Alien, despite being potentially even more detailed.

Potentially the most interesting fact is the actual name of the sharedPreferences file used to store the configuration for Xenomorph: the file is named ring0.xml.

This might look like any other generic random string, but it happens to coincide with the name of the supposed actor behind the development of the original Alien malware.

If this could look like a coincidence, there are many occurences of very peculiar logging strings and class names observed first in Cerberus, and later in its successor Alien.

Currently the set of capabilities of Alien is much larger than the one of Xenomorph. However, considering that this new malware is still very young and adopts a strong modular design, it is not hard to predict new features coming in the near future.

Conclusions

The surfacing of Xenomorph shows, once again, that threat actors are focusing their attention on landing applications on official markets. This is also a signal that the underground market for droppers and distribution actors has increased its activity, considering that we just very recently observed Medusa and Cabassous also being distributed side-by-side.

Xenomorph currently is an average Android Banking Trojan, with a lot of untapped potential, which could be released very soon. Modern Banking malware is evolving at a very fast rate, and criminals are starting to adopt more refined development practices to support future updates. Xenomorph is at the forefront of this change.

The current version of Xenomorph is capable of abusing Accessibility Services to steal PII from unaware victims, prevent uninstallation and intercept SMS and notifications. ThreatFabric predicts that with some more time to finish development, this malware could reach higher threat levels, comparable to other modern Android Banking trojans.

MTI & CSD

This and other mobile malware is tracked in our Mobile Threat Intel service (MTI). Try out our MTI feed today! Send a message to sales@threatfabric.com, and get 30 days access to our portal free of charge.

If you want more information on how we detect mobile malware on mobile devices, you can directly contact us at: info@threatfabric.com

Appendix

Xenomorph Samples

Xenomorph C2

Xenomorph Targets