Upgraded Xenomorph Android Banking Trojan Resurfaces with Greater Potency

• Written by Ari Denial Cybersecurity & Tech Writer

A recently released version of the Xenomorph Android malware has expanded its nefarious capabilities by introducing a sophisticated Automated Transfer System (ATS) framework, along with capable of stealing login credentials of 400+ financial institutions.

The latest version of the Android banking trojan, known as “Xenomorph 3rd generation” by the Hadoken Security Group, has been found to possess advanced features that allow malicious actors to conduct financial fraud with a high degree of ease and efficiency.

Originally targeting 56 European banks, the first version of the malware used overlay attacks through injection techniques and exploited accessibility services permissions to intercept notifications and steal one-time codes.

According to a report by the Dutch security firm, the latest version of the malware incorporates a multitude of additional features to an already multifaceted Android banking malware. The most noteworthy of these is a comprehensive runtime engine, bolstered by accessibility services, that enables malicious actors to seamlessly integrate a complete Automated Transfer System (ATS) framework.

The current version of Xenomorph, known as Xenomorph v3, is being spread through the ‘Zombinder’ platform, disguised as a currency converter app on the Google Play Store. Once the malware is installed, it hides itself by showing a Play Protect icon.

As explained by ThreatFabric, Xenomorph v3 is propagated through a Zombinder app that is paired with a bona fide currency converter application. The malware is then downloaded as an ‘update’, disguised as Google Protect.

The most recent version of Xenomorph is primarily aimed at 400 financial institutions across several countries including the United States, Turkey, Spain, Australia, Poland, Italy, Canada, France, Portugal, UAE, Germany, and India.

As banks are gradually shifting from SMS-based two-factor authentication (2FA) to authenticator apps, the Xenomorph trojan has incorporated an ATS module that permits it to launch the app and obtain the authenticator codes, thereby circumventing this security measure.

The Android malware also boasts of cookie-stealing functionalities, which allow threat actors to execute account takeover attacks.

SVB Collapse Leaves Door Open for Cybercriminals to Steal Money and Data

• Written by Ari Denial Cybersecurity & Tech Writer

The collapse of Silicon Valley Bank (SVB) has caused turmoil in the global financial system. In the aftermath, cybercriminals are exploiting the situation by registering suspicious domains, launching phishing campaigns, and carrying out attacks to steal money, account data, and infect targets with malware.

According to several security researchers, threat actors are actively registering suspicious domains, setting up phishing pages, and preparing for Business Email Compromise (BEC) attacks.

The fallout from the SVB collapse has affected numerous businesses and individuals in various industries, including life sciences, technology, private equity, healthcare, venture capital, and premium wine.

According to recent findings by security researcher Johannes Ulrich, cybercriminals are capitalizing on the situation by registering suspicious domains related to SVB that are highly probable to be utilized in malicious attacks.

Ulrich has cautioned that scammers may attempt to contact former SVB clients offering fake services related to the bank’s collapse, such as legal services, support packages, or loans.

A cryptocurrency scam claims that as of March 13, 2023, Silicon Valley Bank is distributing USDC as part of its SVB USDC payback program, exclusively to eligible USDC holders. The scam further alleges that USDC payouts are restricted to one claim per wallet.

Circle, a peer-to-peer payments firm that oversees the widely-used stablecoin USDC, had deposited $3.3 billion in cash reserves at SVB. However, despite assurances from the firm regarding the liquidity of USDC, the collapse of SVB has created an atmosphere of uncertainty.

To avoid email compromise during such attacks, it is recommended to verify any payment changes with your contact over the phone rather than through email.