The Zscaler ThreatLabz team has recently discovered the Xenomorph banking trojan embedded in a Lifestyle app in the Google Play store. The app is “Todo: Day manager,” and has over 1,000 downloads. This is the latest in a disturbing string of hidden malware in the Google Play store: in the last 3 months, ThreatLabz has reported over 50+ apps resulting in 500k+ downloads, embedding such malware families as Joker, Harly, Coper, and Adfraud.
Fig no 1.Malware Installer From Play Store
Xenomorph is a trojan that steals credentials from banking applications on users’ devices. It is also capable of intercepting users’ SMS messages and notifications, enabling it to steal one-time passwords and multifactor authentication requests.
Our analysis found that the Xenomorph banking malware is dropped from GitHub as a fake Google Service application upon installation of the app. It starts with asking users to enable access permission. Once provided, it adds itself as a device admin and prevents users from disabling Device Admin, making it uninstallable from the phone. Xenomorph creates an overlay onto legit banking applications to trick users into entering their credentials.
A similar infection cycle was observed three months ago with the Coper banking trojan. This trojan was similarly embedded in apps on the Google Play store, and sourced its malware payload from the Github repo.
Technical Details
Below is the Xenomorph infection cycle once a user downloads an app and opens it.
Fig no 2.Flow of infection
When the app is first opened, it reaches out to a Firebase server to get the stage/banking malware payload URL. It then downloads the malicious Xenomorph banking trojan samples from Github. This banking malware later reaches out to the command-and-control (C2) servers decoded either via Telegram page content or from a static code routine to request further commands, extending the infection.
The parent malware downloader (Google Play Store) application gets its config from Firebase for its database.
Fig no 3. Malware enables downloader.
Fig no 4. Downloader not enabled.
As shown in the above screen shot, the malware will only download further banking payloads if the “Enabled” parameter is set to true.
The following screenshot shows how the Firebase database malware uses Github links to download Xenomorph payloads:
Fig no 5. The malware writes dropper URLs in local DB of firebase
The screenshots in Figures 6 and 7 below show the C2 retrieval from a Telegram page. Here the banking payload has the Telegram page link encoded with RC4 encryption. Upon execution, the banking payload will reach out to the Telegram page and download the content hosted on that page.
Fig no 6.Uses Telegram link response to create C2 in addition to static encrypted C2 present in app
Fig no 7. Telegram channel preview where string in between hearts emoji is used to create C2
As per the following screenshot, the payload will decrypt the C2 server address from the downloaded content:
Fig no 8. Decode C2 from Telegram
ThreatLabz also observed RC4 encoded C2 domains stored inside the code. The following screenshot shows the C2 request in which the payload sends all the installed applications to C2 in order to receive further instructions. In one case, it will present the fake login page of a targeted banking application if the legitimate application is installed in the infected device.
Fig no 9. Malware uploading all package information to receive commands
ThreatLabz also observed another application, named “経費キーパー” (Expense Keeper), exhibiting similar behavior. On execution of this application, it is observed that the “Enabled parameter” is set to false, same as the execution previously shown in Figure 4. Due to that, it was not possible to retrieve the Dropper URL for the banking payload. ThreatLabz is working with the Google Security team for the same.
Fig no 10. Suspicious Installer exhibiting the same behavior
IoCs
| com.todo.daymanager |  |
d81f9c03c412b11df357f0878c9c5cad9319c7eea11b5c46d0c624995bc09563 |
| com.setprice.expenses |  |
58d634230951ee7699a4b4740e12be8e93a28bd183f61447832bd1d5d98160d8 |
Xenomorph banking trojan
| Package Name | MD5 |
| njuknf.cpvmqe.degjia | b8b8706807a97c40940109a93058c3d0 |
| ylyove.pkmcsy.upvpta | 98ea3fe61fde0c053dfac61977a11488 |
| ylykau.jhfxjd.hlhhwl | df57895cfc79ee8812aac5756ab4bcc8 |
| lkvrny.bbslie.mrgsdy | 73511ef7bb9d59b3d91dbeef5f93eec0 |
| gkapsv.nlitfn.fzteaf | f0b001dbe36f45cedcb15e3f9fc02fd7 |
| binono.bgcwvl.iupqtk | 8437e226e55ba6dea9a168bee5787b0d |
| cfbyzn.zhxxjj.sziece | 8f66412e945ca9a75797d5f5eba9765c |
| gfgnfe.rcsjkm.abwxdj | 6a117cafa32a680dc94f455745291f0f |
| usyjui.monkab.acacpn | cb9500f910bd655df444f7d43d0298f9 |
| gnvbgm.ipblyp.bpnyrg | d95c03247a58d3fabb476a7f3241f3a1 |
| xsgrsn.nicojr.uaqxws | cd63afae858fdf75f34aae05e36b8a34 |
| xhlkae.ligagt.dmihjy | c5d510251a34f52427d133a6f9248cbf |
| qlvsvm.oqsncp.otgbxc | 781bbaee614697beecfcbe9a2f9dd820 |
| rxreyj.obxmlg.rjluib | 49c4801abb6c92d17c8021c2f656c644 |
| brpdxm.orolnd.jsxhrp | 1829589d95bdd2c30f0bef154decd426 |
| wwzaqw.eejyqr.czrldy | e834676cdbd63ce4eb613499605dc365 |
| ogbfbt.rhrnua.kccuoh | 9e498ba660bdcb279149e6a5986c2793 |
| lnckvn.vlmjxx.uwcpub | 4b2e849543b0ecaec1885170a5ef5243 |
| vjqfyn.ygmzrs.trlvch | 7e4f1deb5b21d47a7c41ef1a5f43a2f2 |
| blglyu.rjqwgg.vveize | 7f574986dc8a03e6a4cba60d1ac4f7d1 |
C2s
- hxxps[://]github[.]com/blsmcamp/updt
- gogoanalytics[.]click
- gogoanalytics[.]digital
Conclusion
At Zscaler we proactively detect and monitor such applications to secure our clients. Such bank phishing installers most of the time rely on tricking users to install malicious applications. Users are advised to keep an eye on what application is being installed. A Play Store application is not supposed to side load or ask users to install from unknown sources. We believe hostile phishing downloaders will further increase in prevalence in the future. User vigilance is of the utmost importance to defeat these phishing campaigns.
