A new version of a very dangerous Android malware has been identified. This improved iteration now targets investors who hold cryptocurrencies. We take stock of the hackneyed but effective modus operandi of cybercriminals.
Last year, Android malware, called Xenomorph, appeared. The virus managed to bypass the defenses of the Play Store, Google’s Android application store, to infect more than 50,000 devices.
During his baptism of fire, Xenomorph had only one objective: to steal Bank details users. In particular, he attacked dozens of European financial institutions, particularly in Spain and Belgium. More than fifty banks were targeted by the malware.
Also read: Google has finally understood how malware infiltrates the Play Store
Xenomorph virus turns to crypto
According to a report from ThreatFabric, Xenomorph has evolved since its first appearance. Researchers actually counted five versions of the malware. The developers behind the virus added “new features” these last months.
Above all, the malware now also targets wallets holding cryptocurrencies. After targeting users’ banking identifiers, it now targets private keys, that is to say the sequence of words which allows access to funds stored on a wallet on the blockchain.
A hackneyed trap
Xenomorph’s new modus operandi is to trap Google Chrome users. Hackers will display a pop-up window with a warning that the Chrome browser has “needs updating”. It’s a tactic as old as time, which is still very common on countless questionable sites.
“Browser updates generally don’t announce the need to do this in the middle of your screen, especially not while you’re surfing”underlines MalwareByteswhich relays ThreatFabric’s findings.
This window encourages people to download and install the latest Chrome update with just one click. Instead of an update, a file containing the Xenomorph code will be installed on the smartphone.
Once it has managed to infect the phone, the malware will do everything possible to obtain the private keys of its victims. It will mainly rely on the method of the false superposition, very popular with banking viruses. Concretely, Xenomorph will display a false window above applications allowing you to store cryptocurrencies, such as Metamask.
These fake windows will take over the interface of the imitated service. Thanks to a new feature, Xenormorph can also mimic the behavior of an application, displaying legitimate content through WebView. This Android software component allows you to display web content directly inside an application. Therefore, the virus does not need to change its icon, which sometimes triggers a security alert.
“By pretending to be another application, Xenomorph can avoid using this technique, […] one of many typical behaviors of Android malware,” explains ThreatFabric.
Users will then enter their identifiers and private keys in the fake window, thinking they are interacting with an official crypto app. Hackers will thus seize the private keys. With these, they will be able to siphon off users’ wallets without the slightest hindrance. The funds will be transferred through the blockchain to another address.
Around a hundred apps are targeted by Xenomorph
Other new additions to Xenormorph’s arsenal include a tool capable of simulating a click on the touch screen. This feature allows you to bypass confirmation screens or perform other simple actions without the user’s knowledge. Another mechanism prevents the smartphone from going to sleep in order to avoid interruptions in the data theft process.
More than 100 different apps can be imitated by Xenormorph. Among the targets of the virus are both banks and crypto services, says ThreatFabric. Examples include apps like Binance, Trust, Poloniex, Coinbase, Kraken, Metamask, Bitpay or Bitstamp. Note that several Belgian banks are still targeted, including Belfius, Axa, KBC, and ING. According to experts, the software has already been downloaded thousands of times by devices since its big return to the spotlight.