Security News > 2022 > February > New Android Banking Trojan Spreading via Google Play Store Targets Europeans

A new Android banking trojan with over 50,000 installations has been observed distributed via the official Google Play Store with the goal of targeting 56 European banks and carrying out harvesting sensitive information from compromised devices.
Xenomorph, like Alien and ERMAC, is yet another example of an Android banking trojan that's focused on circumventing Google Play Store's security protections by masquerading as productivity apps such as "Fast Cleaner" to trick unaware victims into installing the malware.
It's worth noting that a fitness training dropper app with over 10,000 installations - dubbed GymDrop - was found delivering the Alien banking trojan payload in November by masking it as a "New package of workout exercises."
Fast Cleaner, which has the package name "Vizeeva.fast.cleaner" and continues to available on the app store, has been most popular in Portugal and Spain, data from mobile app market intelligence firm Sensor Tower reveals, with the app making its first appearance in the Play Store towards the end of January 2022.
What's more, reviews for the app from users warned that "This app has malware" and that it "Ask[s] for an update to be confirmed continuously." Another user said: "It puts malware on the device and apart from that it has a self-protection system so that you cannot uninstall it."
It's equipped with a notification interception feature to extract two-factor authentication tokens received via SMS, and get the list of installed apps, the results of which are exfiltrated to a remote command-and-control server.
News URL
https://thehackernews.com/2022/02/xenomorph-android-banking.html
Related news
- SpyLend Android malware downloaded 100,000 times from Google Play (source)
- New North Korean Android spyware slips onto Google Play (source)
- Malicious Android 'Vapor' apps on Google Play installed 60 million times (source)
- New Android Trojan Crocodilus Abuses Accessibility to Steal Banking and Crypto Credentials (source)
- Week in review: Exploited 7-Zip 0-day flaw, crypto-stealing malware found on App Store, Google Play (source)
- Google Confirms Android SafetyCore Enables AI-Powered On-Device Content Classification (source)
- New TgToxic Banking Trojan Variant Evolves with Anti-Analysis Upgrades (source)
- Google's March 2025 Android Security Update Fixes Two Actively Exploited Vulnerabilities (source)
- How Google tracks Android device users before they've even opened an app (source)
- Google fixes Android zero-day exploited by Serbian authorities (source)