Xenomorph: A banking Trojan targeting financial institutions worldwide

Like other banking viruses, Xenomorph is renowned for using overlay attacks to take advantage of Accessibility Services and commit fraud. Moreover, it has the ability to use a method known as Automatic Transfer System (ATS) to automatically finish fraudulent transactions on infected devices. The Xenomorph pretends to be the “Quick Cleaner” system-optimizing application and employs the ruse of appearing as device optimizers, battery or performance boosters, or other utility apps.

The initial version of the banking trojan was detected on the Google Play store in February 2022, where it received over 50,000 downloads. The first assault employed injections for overlay attacks against 56 European banks and took use of Accessibility Services rights to undertake notification interception, obtaining one-time codes. It’s likely that the hackers want to use a MaaS (Malware-as-a-Service) platform to distribute Xenomorph to operators.

These banking malware programmes’ primary function is to steal passwords, and they also employ SMS and notification interception to log and utilize possible 2FA tokens. This is done by imitating authorized financial apps. It launches a duplicate of the authentic banking app’s original interface, and this overlay transfers input information including usernames and passwords to the threat actor. The Trojan persistently requests Accessibility Services privileges after starting in order to replace the legitimate banking apps. It automatically grants itself all necessary permissions once it has these rights, and it then operates silently on the device.

The Google Play store’s “Zombinder” platform is being used to spread Xenomorph v3, which initially acts as a currency converter before switching to utilizing a Play Protect icon after the malicious payload has been loaded.

The most recent version of the Xenomorph malware is intended to target more than 400 banking and financial organizations, including various cryptocurrency wallets, and has a dedicated website touting its benefits. There are also reports that Xenomorph has been observed to target nations like the United States, Spain, Turkey, Poland, Australia, Canada, Italy, Portugal, France, Germany, the United Arab Emirates, and India.


  1. https://www.bleepingcomputer.com/news/security/xenomorph-android-malware-now-steals-data-from-400-banks/
  2. https://thehackernews.com/2023/03/xenomorph-android-banking-trojan.html
  3. https://www.welivesecurity.com/videos/xenomorph-what-know-android-banking-trojan/
SISA’s Latest
close slider