New Malware is Compromising Google Play
Table of Contents
- By David Lukic
- Published: Feb 23, 2022
- Last Updated: Feb 27, 2025
A new form of malware referred to as Xenomorph is infiltrating Google Play. Digital security researchers insist the new modular trojan is connected to other forms of malware, including Alien and Cerebus. If these cyber security specialists’ predictions come true, the Xenomorph threat will expand all the more as the malware continues to progress.
What is Xenomorph all About?
Xenomorph nests within users’ Google Play before wreaking havoc. At the moment, Xenomorph has been downloaded more than 50,000 times from the app store. Xenomorph typically nests within the Fast Cleaner app. Google Play users who have downloaded this app should delete it as soon as possible to prevent an account takeover.
Who Does Xenomorph Target?
Xenomorph targets computers that use Google Play. More specifically, ThreatFabric reveals that the malware is zeroing in on European banks. Xenomorph’s overlay targets include financial institutions throughout Italy, Portugal, Belgium, Spain, and other parts of Europe. The malware zeroes in on banking apps, cryptocurrency wallets, and email services.
How Does the Malware Steal Information?
The malware generates seemingly legitimate facsimiles of user login webpages at the point when the target user tries to log into his or her mobile banking app. The aim of the malware is to steal user credentials that targeted individuals enter on the fake login page.
Xenomorph malware is advanced to the point that it contains code overlaps along with ties to the above referenced Alien malware. To be more specific, Xenomorph can abuse accessibility services within Android to obtain control over the functions of a phone or tablet, setting the stage for even more harmful features that extend well beyond merely stealing user login credentials for mobile banking applications.
Digital security specialists who have studied Xenomorph are worried that its logging capability is advanced to the point that it can transmit the stolen information to the C2 server for keylogging purposes and gathering behavioral information on targets, allowing for installation on applications even if not listed on the initial group of targets.
Xenomorph is still considered to be under development as the advanced functions described above are still works in progress. The problem is that Xenomorph has quickly advanced to the point that it is already using highly effective overlays to fool target users into handing over their banking login credentials.
Why is the Fast Cleaner Application Important?
According to ThreatFabric, the Google Play application referred to as Fast Cleaner is used to load the Xenomorph dropper. The dropper is hidden within the application and appears to be beneficial in that it is allegedly effective at optimizing phone battery power and removing clutter. The application transmits the malware into the device, setting the stage for login credentials to be stolen. Next, the malware transmits a list of packages that have been installed. At this point, the appropriate overlays are selected based on the user’s specific target applications.
What Else is Xenomorph Capable Of?
Xenomorph also uses notification interception and SMS messages to log and capitalize on two-factor login authentication tokens. Digital security professionals are worried the bot will utilize automatic transfer system features in the weeks and months ahead. Also referred to as ATS, these system capabilities trigger wire transfers without the use of credentials, ultimately subverting two-factor authentication as well as defenses against fraud.
