Security researchers uncovered an updated version of the Xenomorph mobile banking trojan aimed at users of cryptowallets and banks in the US.

First spotted in February 2022 by ThreatFabric’s cyber fraud analysts, the trojan is distributed via phishing pages designed to trick users into installing malicious APKs. The researchers said that the new version of Xenomorph comes with a larger list of target apps compared to its previous versions that targeted 56 European banks, which now include the United States.

“This new list adds dozens of new overlays for institutions from the United States, Portugal, and multiple crypto wallets, following a trend that has been consistent amongst all banking malware families in the last year,” the researchers said.

Xenomorph uses overlays to obtain Personally Identifiable Information (PII) such as usernames, passwords, credit card numbers, and much more. The command-and-control server transmits to the bot a list of URLs containing the address from which the malware can retrieve the overlays for the infected device.

While the new Xenomorph version doesn’t differ much from its predecessors, it comes with some new modules and functions such as an antisleep feature that allows the threat actors to set a flag in the shared preferences file, which tells the malware that the device should not go into sleep mode. Another addition is a “mimic” mode that allows the malware to act as any other application. The code contains an activity called IDLEActivity, which is used as a webView to display a legitimate website.

By posing as another application, Xenomorph can avoid being discovered by security products, the researchers explained.

Lastly, the malware implements the ability to simulate a simple touch at specified coordinates, using the ”clickOnPoint” command. While not very advanced, this feature allows threat actors to perform small actions without having to create a full ATS module.

Due to an OpSec mistake made by the trojan’s operators, the researchers were able to monitor the malware’s server and discovered multiple interesting files, including those related to well-known desktop info-stealers such as RisePro. The findings suggest that these files may belong to one threat actor who is trying several Malware-as-a-Service “providers” focusing not only on mobile devices but also on desktops.

“Xenomorph maintains its status as an extremely dangerous Android banking malware, featuring a very versatile and powerful ATS engine, with multiple modules already created, with the idea of supporting multiple manufacturer's devices,” the researchers said. “The fact that we saw Xenomorph being distributed side-by-side with powerful desktop stealers is very interesting news. It could indicate a connection between the threat actors behind each of these malware, or it could mean that Xenomorph is being officially sold as a MaaS to actors, who operate it together with other malware families. In each case, it indicates an activity from Xenomorph which we have not seen before, but which we might see a lot of in the near future.”