The primary purpose of this malware is to steal financial credentials and to intercept SMS and Notification messages in order to sign in and use potential two-factor authentication tokens by overlapping fake login pages on top of legitimate ones, enabling hackers to bypass “SMS-based two-factor authentication” and access ‘victims’ accounts without alerting them.
In a statement, NCC said,
“Xenomorph is propagated by an application that was slipped into Google Play store and masquerading as a legitimate application called ‘Fast Cleaner’ ostensibly meant to clear junk, increase device speed and optimize the battery.”
“In reality, this app is only a means by which the Xenomorph Trojan could be propagated easily and efficiently. To avoid early detection or being denied access to the PlayStore, ‘Fast Cleaner’ was disseminated before the malware was placed on the remote server, making it hard for Google to determine that such an app is being used for malicious actions.”
“Once up and running on a victim’s device, Xenomorph can harvest device information and Short Messaging Service, intercept notifications and new SMS messages, perform overlay attacks, and prevent users from uninstalling it. The threat also asks for Accessibility Services privileges, which allow it to grant itself further permissions.”
As per CSIRT’s report, Fast Cleaner gained over 50,000 downloads despite being removed from Google Play Store.