Xenomorph banking Trojan downloaded over 50,000 times from Google Play Store

Researchers have found the Xenomorph banking Trojan has been distributed on the official Google Play Store, with more than 50,000 installations.

ThreatFabric revealed that the Fast Cleaner app infects the Android device with a trojan designed to steal sensitive information from the user. This could include reading texts or notifications without the user ever knowing about it. The research team calls this new malware “Xenomorph,” adding that it has some similarities with the recent Alien banking trojan.

The researchers found the dropper for the Xenomorph banking Trojan on the Google Play Store under the name Fast Cleaner, pretending to be an application aimed at speeding up the device by removing unused clutter and removing battery optimization blocks. 

To avoid detection or being denied access to the Google Play Store these malicious dropper apps are distributed before the malware is placed on the remote server.

The Fast Cleaner app has now been removed from the Google Play Store but it was downloaded more than 50000 times.

IOCs

Domains:

  • simpleyo5.tk      Main C2
  • simpleyo5.cf      Backup C2
  • art12sec.ga         Backup C2
  • kart12sec.gq      Backup C2
  • homeandofficedeal.com               Overlay C2

Package names Fast Cleaner:

  • com.census.turkey
  • com.laundry.vessel
  • com.tip.equip
  • com.spike.old

Menu