How to Protect Android Apps Against Xenomorph Malware

Last updated October 18, 2024 by Appdome

Learn how to detect and protect against Xenomorph Android malware in Android apps in mobile CI/CD using Appdome’s no-code unified mobile app defense platform.

What is Xenomorph?

Xenomorph is an advanced Android banking trojan first identified in early 2022, targeting users primarily in the U.S., Canada, Spain, Italy, Portugal, and Belgium. Originally aimed at European financial institutions, it has since evolved to target cryptocurrency wallet users and financial institutions in the U.S. and beyond. This malware is modular and flexible, employing a dropper called “BugDrop” and a distribution platform named “Zombinder.”

Xenomorph’s attack methods include overlay attacks, where it places fake login screens over legitimate banking apps to steal credentials, and an automated transfer system (ATS) that allows it to perform unauthorized transactions without user interaction. The Trojan is also capable of bypassing multi-factor authentication (MFA), intercepting SMS messages, and stealing login credentials, including session cookies to hijack active web sessions. Xenomorph also abuses Android’s Accessibility Services to perform a variety of malicious activities. By abusing this feature, it can intercept and manipulate user inputs, overlay fake login screens to steal credentials, and simulate user taps. This allows Xenomorph to bypass security measures and perform unauthorized financial transactions or access sensitive information without the victim’s knowledge. In a recent campaign, victims were tricked into downloading malicious APK files through phishing pages that mimicked legitimate Chrome updates. Furthermore, Xenomorph simulates taps, prevents screen locking, and its infrastructure has revealed other malware variants used by the same operators​.

How Does Appdome Protect Against Xenomorph?

Taking all the above into consideration, you can use Appdome to protect against Xenomorph using a combination of following protection methods:

  • RASP – Prevents Xenomorph from injecting itself into installed apps and repackaging them.
  • Code Obfuscation – Protects against decompiling and malicious reverse engineering.
  • Root Detection – Protects app from running on rooted Android device.
  • MitM Attack Prevention – Prevents Xenomorph from intercepting or hijacking sessions to steal data.
  • Block App Overlay Attacks – Detects and prevents fake/malicious screen overlays from displaying on top of the app screen and concealing the legitimate app screen.
  • Keylogging Prevention – Prevents the use of malicious keyloggers which may be used to intercept two-factor authentication codes or harvest sensitive information.
  • Prevent Accessibility Services Malware – Detects and prevents malicious actions against mobile apps and users undertaken by malware and malware families that abuses Android AccessibilityService in mobile apps
  • Google Play Store Signature Validation – protects against fake apps, clones, masquerading.
  • Prevent ATS Malware – Detect active transaction hijacking attempts, blocks the attempt, provide a notification to the end user.

Each of the protections above are linked to the relevant knowledge base article for that feature, which provide detailed information about each feature and also explain how to implement each protection in your Android app.

Prerequisites

To use Appdome’s to protect Android apps against Xenomorph, you’ll need the following:

Related Articles:

If you have any questions, please send them our way at support.appdome.com or via the chat window on the Appdome platform.

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project.

 

Appdome

Want a Demo?

Android Malware Detection

TomWe're here to help
We'll get back to you in 24 hours to schedule your demo.