NCC CSIRT discovers malware targeting banking apps
The Nigerian Communications Commission’s Computer Security Incident Response Team (CSIRT) said it has discovered new malware that steals users’ banking app login credentials on Android devices.
According to a security advisory from the NCC CSIRT, the malware called “Xenomorph”, which targets 56 European financial institutions, has a high impact and a high vulnerability rate. The main intention of this malware is to steal credentials, combined with the use of SMS and notification interception to log in and use potential 2-factor authentication tokens.
Xenomorph is spread by an app that slipped into Google Play Store and pretends to be a legitimate app called “Fast Cleaner” which is supposed to wipe junk files, boost device speed and optimize battery. In reality, this application is just a means through which the Xenomorph Trojan could spread easily and effectively.
To avoid early detection or being denied access to the PlayStore, “Fast Cleaner” was released before the malware was placed on the remote server, making it difficult for Google to determine that such an app is in use for malicious actions.
Once operational on a victim’s device, Xenomorph can collect device and short messaging service (SMS) information, intercept notifications and new SMS messages, perform overlay attacks, and prevent users from uninstall it. The threat also asks for accessibility services privileges, which allows it to grant itself other permissions.
The CSIRT said the malware also steals victims’ banking credentials by overlaying fake login pages on top of legitimate ones. Considering that it can also intercept messages and notifications, it allows its operators to bypass SMS two-factor authentication and log into victims’ accounts without alerting them.
“Xenomorph was found to target 56 online banking apps, 28 from Spain, 12 from Italy, 9 from Belgium and 7 from Portugal, as well as cryptocurrency wallets and general-purpose apps like mobile services. The Fast Cleaner app has now been removed from the Play Store, but not before garnering over 50,000 downloads,” the CSIRT security advisory asserted.
The NCC has advised telecommunications consumers to be alert so as not to fall victim to this manipulation. Accordingly, the NCC urges telecommunications consumers and other Internet users, especially those using Android devices, to use reliable anti-virus solutions and update them regularly with their latest definitions. The Commission also urges consumers and other stakeholders to always update banking apps to their latest versions.