Xenomorph Android Malware Reappears in a New Campaign Targeting U.S. Banks | Cyware Hacker News

After months of hiatus, Xenomorph is back targeting thousands of banking customers across multiple countries. According to research by ThreatFabric, the campaign has been active since August and attackers are using a new variant of the Android malware that adds overlays for multiple crypto wallets, and targets over 30 banking institutions in the U.S. and Portugal. 

Campaign overview

The campaign is launched via phishing pages posing as Chrome updates, with a maximum of over 3000 downloads observed in Spain, followed by more than 100 downloads each in the U.S. and Portugal. 
  • According to researchers, the attackers have recently begun distributing ExobotCompact/Octo to ensnare more victims.
  • Besides this, researchers found evidence of attackers targeting desktops using RisePro stealer and LummaC2 stealer malware.
  • These stealer malware were concealed within two files named “phoneoutsourcing.exe” and “647887023.png” and upon execution, enabled threat actors to steal credentials from victims’ systems.   

The new Xenomorph variant

Although the new sample isn’t vastly different from previous versions, it comes with some new features indicating that its authors continue to revamp the malware. 

  • One of these is a new ‘mimic’ feature that gives the malware the capability to act as another application.
  • Another notable feature is its sophisticated and flexible Automatic Transfer System (ATS) framework that allows the automatic transfer of funds from a compromised device to the one controlled by attackers. 
  • Finally, there’s a new ‘antisleep’ feature that allows malware operators to maintain prolonged engagement and communication with compromised devices.


The fact that Xenomorph is being distributed alongside malware stealers indicates a new activity that was not seen before. This could mean that the Android malware is being officially sold as a MaaS to actors or there may be a connection between threat actors behind each of these malware. With the emergence of this variant, researchers anticipate more attacks in the future.