Xenomorph banking trojan spread by Android dropper apps

The Hacker News reports that two Android apps Todo: Day manager and "経費キーパ" have been found to serve as Xenomorph banking malware droppers, with both apps already removed from the Google Play Store. Aside from exfiltrating banking app credentials, Xenomorph could also track SMS messages and notifications to enable the one-time password and multi-factor authentication request theft, according to a report from Zscaler ThreatLabz. Xenomorph was initially reported by ThreatFabric to perform overlay attacks by exploiting accessibility permissions in Android, resulting in the overlaying of fraudulent login screens on banking apps aimed at exfiltrating credentials. Descriptions from a Telegram channel are also being used by Xenomorph to allow command-and-control domain decoding and construction. Four other Android apps were recently discovered to have been used in an adware and info-stealing campaign that redirects users to malicious websites. The developer of the four apps has since been banned by Google.