[Warning]: New Xenomorph Android malware targets more crypto wallets/banks

[Dave1]

It seems that the Android Malware has evolved again, this time using phishing page and then attracting users to update their Chrome browser and then downloading the malicious code thru sample like this.



And the scope is bigger now, not just to steal banking informations, but also expanded to other other crypto currency apps.

Highlighted in bold are the newly added targets:






It was first reported by @lovesmayfamilis here:Android malware targets 13 bitcoin wallets and 400 banks.

But this time, the threat actors has expanded including United States and more crypto currency apps depending on the demographics.

These areas include Spain, Portugal, Italy, Canada, and Belgium.

However, this latest campaign also added plenty of financial institutions from the United States, together with multiple crypto-wallet applications, totaling more than 100 different targets per sample, each one using a specifically crafted overlay to steal precious PII from the victim's infected device.

Actors have put a lot of effort into modules that support Samsung and Xiaomi devices. This makes sense, considering that these two combined make up roughly 50% of the whole Android market share, according to recent data presented in multiple recent studies.

https://www.threatfabric.com/blogs/xenomorph

So again, this is just another warning to be very careful with those androids apps that you think it is safe to download.

[1714611598]

1714611598

[jrrsparkles]

I am kind of picturing how this actually begins.

It is something like a popup while we browsing on sites and asking us to update Chrome or whatever apps.

A few tips that may eliminate the potential malware from Android is by enabling play protect in the play store settings which will let the device keep scanning the apps overtime and if there is something wrong it won't allow the apps to open which maybe helpful at some level.

[hugeblack]

Android devices are relatively cheap, and you can get a wide range of these devices at competitive prices. Therefore, I see no reason for someone who wants to use them as a wallet not to buy a separate phone dedicated to that, especially since sometimes some people may not buy hardware wallets for one reason or another.

But in any case, if you are forced to use your phone as a wallet, it is better not to browse the Internet, or at least visit certain links, avoid random clicking, and do not download any untrusted applications.

It is something like a popup while we browsing on sites and asking us to update Chrome or whatever apps.

The privacy settings for Chrome on Android devices are very limited and it is easy to see these pop-ups. It is a bad choice for anyone who wants to browse on Android devices. I prefer TOR or Firefox.

[jrrsparkles]

Android devices are relatively cheap, and you can get a wide range of these devices at competitive prices. Therefore, I see no reason for someone who wants to use them as a wallet not to buy a separate phone dedicated to that, especially since sometimes some people may not buy hardware wallets for one reason or another.

Most of the cheap Androids come with preinstalled bloatware (spyware) and many of them can't be disabled also there are many reports saying that those Chinese brand devices collect all the data from its users and send it back to Chinese governments which maybe true or not but likely possible in my opinion. And you are right though, android is a good choice for a crypto wallet only if it is used it as an air-gapped wallet and broadcasts the transaction from another regular device so there will be no invasion of our privacy and also gives the most secure form of crypto wallet.

It is something like a popup while we browsing on sites and asking us to update Chrome or whatever apps.

The privacy settings for Chrome on Android devices are very limited and it is easy to see these pop-ups. It is a bad choice for anyone who wants to browse on Android devices. I prefer TOR or Firefox.

TOR again is gonna be dead slow, so no one is going like that, to be honest so is preferable when it is something sensitive apart from that Firefox or Brave is good but Chrome will be there and track all the user activity even if we never opened it for months which we have to disable it in the settings.

Also, we have to review the permissions under app management from time to time to know what apps are using which permissions for example if camera, microhone, gallery access, etc. and if there is an option only allows when using the app please enable it.

[Lucius]

TOR again is gonna be dead slow, so no one is going like that, to be honest so is preferable when it is something sensitive apart from that Firefox or Brave is good but Chrome will be there and track all the user activity even if we never opened it for months which we have to disable it in the settings.
~snip~

This is not always the case, but in general, when you use Tor or VPN, you can often expect that the loading speed of websites will be somewhat slower compared to when you do not use them. However, for those who value privacy, "slowness" will not be an obstacle, especially if in this way they can additionally protect themselves from such malware.

I am kind of picturing how this actually begins.
It is something like a popup while we browsing on sites and asking us to update Chrome or whatever apps.
~snip~

According to the information in the first thread posted by @lovesmayfamilis, this malware spreads in the following way :

"Xenomorph v3 is currently being distributed via the Zombinder platform on the Google Play Store, posing as a currency converter and switching to using the Play Protect icon after installing a malicious payload."

This means that, as always, great caution is required when downloading apps from any location, including from the Google Play Store, which is not efficient when it comes to absolute filtering of malicious apps. In other words, limit the number of apps you have on your smartphone and download only those that have been around for a long time and have a very large number of downloads and good reviews.