Xenomorph Banking Trojan: A New Variant Targeting 35+ U.S. Financial Institutions
Posted by
JD (aka Jason Dean)
Sep 27 '23, 08:26
|
This isn't actually the new news part as that's about new overlays for additional websites....
The feature allows its operators, named Hadoken Security, to completely seize control over the device by abusing Android's accessibility privileges and illicitly transfer funds from the compromised device to an actor-controlled account.
The malware also leverages overlay attacks to steal sensitive information such as credentials and credit card numbers by displaying fake login screens on top of the targeted bank apps. The overlays are retrieved from a remote server in the form of a list of URLs.
In other words, the ATS framework makes it possible to automatically extract credentials, access account balance information, initiate transactions, obtain MFA tokens from authenticator apps, and perform fund transfers, all without the need for any human intervention.
"Actors have put a lot of effort into modules that support Samsung and Xiaomi devices," the researchers said. "This makes sense, considering that these two combined make up roughly 50% of the whole Android market share."
Some of the new capabilities added to the latest versions of Xenomorph include an "antisleep" feature that prevents the phone's screen from turning off by creating an active push notification, an option to simulate a simple touch at a specific screen coordinate, and impersonate another app using a "mimic" feature.
As a way to bypass detection for long periods of time, the malware hides its icon from the home screen launcher upon installation. The abuse of the accessibility services further allows it to grant itself all the permissions it needs to run unimpeded on a compromised device.
...."an option to simulate a simple touch at a specific screen coordinate" !!!!!
|