Xenomorph malware

The cybersecurity firm, ThreatFabric has recently identified a new banking trojan, Xenomorph, that is distributed on the official Android app store, Google Play Store.

This new banking trojan primarily attacks the users from the following countries:-

  • Spain
  • Portugal
  • Italy
  • Belgium

In Google Play Store, the operators of Xenomorph distribute the trojan through one app, Fast Cleaner which has more than 50,000 downloads, but, currently, Google has already removed this application from Play Store.

This application contained the Gymdrop dropper that has successfully passed all the security barriers of Google.

Apps Targeted

On further analysis, it has been found that this banking trojan is classified as a classic banking trojan that particularly infects Android devices to request the Accessibility service permission and then displays fake login screens to the users by overlaying them on top of the banking apps.

Xenomorph trojan can show such fake login screens for several banking apps, cryptocurrency wallets, and email apps in Spain, Portugal, Italy, and Belgium.

And here are the number of banking, crypto wallet, and email apps targeted:-

  • 56 banking apps
  • 12 cryptocurrency wallets
  • 7 email apps


This banking trojan also collects other data regarding the device and then transfers those data to the servers that are controlled by the threat actors.

While the data stolen by the trojan are used by the attackers to access the bank accounts and steal funds of their targets. Not only that, but even Xenomorph also has the ability to intercept the two-factor authentication.

However, the worst thing, in this case, is the channel of distribution; as here, the threat actors are abusing the Google Play Store to distribute Xenomorph and, during the second stage of infection, deliver it as a payload.


Here below, we have mentioned all the key features and abilities of Xenomorph banking trojan:-

  • Abuse Google Play Store as a dropper.
  • Harvest all the key information about the device.
  • Harvest SMS.
  • Overlay Attack.
  • Notification interception.
  • SMS interception.
  • Uninstall prevention.
  • Multiple C2.

The Xenomorph trojan shows several similar signs that are noted in the Alien banking trojan; in short, it could be the successor of the Alien banking trojan.

Moreover, the security analysts have claimed that Xenomorph is currently under development, and the recent acts of this trojan have clearly depicted that it’s a serious threat.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.