A banking credential-stealing trojan has been found in an app called, ‘Todo: Day manager’ that is downloadable from the Google Play store. The ‘Xenomorph’ trojan steals banking data stored in the user’s phone and sends it to the hacker’s command and control (C2) servers. Moreover, the Xenomorph banking trojan is capable of giving itself admin rights that would make it impossible to be uninstalled.
Xenomorph and Todo
The Todo: Day manager app has had over 1000 downloads so far. Security researchers found nearly 50 similar malware apps that were downloaded nearly 500,000 times. Researchers spotted other malware such as Adfraud, Coper, Harley, and Joker in similar apps.
The Xenomorph banking trojan steals login details from the banking app the victim uses. Furthermore, it can go through SMSes and notifications reaching the device which enables it to copy one-time passwords (OTP). This helps it to hack accounts and tamper with multifactor authentication requests.
Once a user downloads this fake lifestyle app, it seeks access permission. After the unsuspecting user grants the permission, it automatically marks itself as the device admin and also escapes being disabled by the user. Following this, the app is rendered impossible to uninstall. The Xenomorph trojan then employs a program code to create an overlay that works if the device has the official bank app installed. In this case, the victim sees it as part of their banking app and ends up entering their banking credentials.
Researchers from Zscaler ThreatLabs noted in their report that this banking malware is dropped from GitHub posing as a Google service application upon installation. After opening the infected Todo: Day manager app, it connects with a Firebase server for the banking malware payload URL. Following this, it downloads the trojan samples from GitHub that connects to the hackers’ C2 servers after getting decoded through sources including Telegram.
In the following steps, the malware only downloads if the parameter is set to ‘Enabled.’ The payload decrypts the C2 server address from the downloads. The C2s found included:
- hxxps[://]github[.]com/blsmcamp/updt
- gogoanalytics[.]click
- gogoanalytics[.]digital