400 banks alert: A ‘ghost’ software is attacking on a large scale, automatically draining money from victim accounts

This is a new version of the dangerous Xenomorph malware on Android operating system, it has been discovered with the ability to steal login information from 400 different banking applications.

Xenomorph was first discovered by cybersecurity firm ThreatFabric last February, with the initial version being a banking trojan, distributed through malicious apps on Google Play.

It becomes especially dangerous that it can take advantage of overlapping layers of protection across 56 banking applications in Europe to steal users’ login credentials and drain their accounts.

By June 2022, Xenomorph v2 was released with a major “overhaul” of the code, allowing it to become more flexible.

Recently, the company ThreatFabric has once again discovered the third version of Xenomorph, called Xenomorph v3. Currently, up to 400 banks and financial institutions from the United States, Canada, India and several European countries are being targeted by this malicious software.

Xenomorph v3

Xenomor v3 adds loads of new features that make it a much bigger threat than previous versions. This malware is capable of automatically stealing data such as login information, account balances, and it can also perform banking transactions and money transfers.

In its report on the issue, ThreatFabric explains that , “Xenomorph can execute the entire fraud chain (from malware infection to withdrawal) in a fully automated manner, making it a malicious trojan. The most harmful and dangerous is currently lurking in the Android operating system. Besides 400 banks and financial institutions have been targeted, it can now also steal money from several types of electronic wallets “.

After reviewing samples of Xenomor v3, ThreatFabric discovered a website that specializes in advertising the latest version of the malware. That means the upcoming Xenomor v3 will likely be sold to cybercriminals.

Currently, it is being distributed through the “Zombinder” platform on the Google Play store. The platform is especially dangerous because hackers have found a way to add this malware to legitimate Android apps.

Bypassing multi-factor authentication

If that wasn’t bad enough, Xenomor v3 also allows cybercriminals to automatically extract logins, check account balances, steal money, etc. from infected Android phones.

The malware’s ATS framework allows it to bypass multi-factor authentication (MFA) commonly used to prevent these types of automated transactions.

Instead of using SMS text messages for MFA in your banking app, you can use an authenticator app like Google Authenticator or Microsoft Authenticator instead. However, not all banks currently offer such an option.

Xenomorph v3 even includes a cookie stealer, which can take away the cookies on your phone through the Android Cookie Manager. It does this by launching a legitimate service’s browser window, tricking victims into entering their credentials.

Then, with the cookies of this login session in hand, the hacker can take control of the website, thereby taking over the victim’s account.

What to do to ensure safety?

Cybersecurity experts advise that you need to be extremely careful when installing apps on Android phones, even if they come from official app stores. Also, you should limit the total number of apps installed on your phone.

When installing new apps, check their ratings and read reviews on Google Play. Alternatively, you can search for other reviews externally (on a website or video platform), through a search engine.

Reviewing this application vendor information is also a good way to help you determine if it is legitimate software.

Besides, it is recommended to enable Google Play Protect as it can scan existing and new apps that you are intending to install for malware.

Please note, this may not be the last we hear about Xenomorph v3, especially as the organization that created it is looking to turn this malware into a paid service that cybercriminals can use. used in their attacks.