The Emerging Threat of Xenomorph Banking Trojan: Targeting U.S. Banks and Crypto Wallets

Xenomorph Banking Trojan

As technology continues to evolve, so do the methods of cybercriminals. The latest threat to emerge is a new version of the Xenomorph banking Trojan, which has set its sights on over 35 well-established financial institutions across the U.S. and various digital cryptocurrency wallets.

Understanding the Xenomorph Banking Trojan

Xenomorph, an offshoot of the infamous Alien Android banking Trojan, first made its appearance in 2022 and has since grown in both its reach and capabilities. The Trojan is known for its modus operandi of deploying phishing web pages, enticing unsuspecting victims to install malicious Android apps. These apps are designed to target a wider range of applications than their predecessors.

The Evolution of Xenomorph

Ever since its inception, Xenomorph has been continually evolving, expanding its target list, and enhancing its attacking capabilities. From initially targeting European banks, it is now setting its sights on financial institutions in the U.S., Spain, Canada, Italy, Belgium, and Portugal.  The Trojan’s authors, a group known as Hadoken Security, have been diligently working on refining and enhancing the malware to increase its effectiveness and reach. This continuous development resulted in a new dropper named BugDrop in 2022, which managed to bypass security features in Android 13.

The Latest Xenomorph Campaign

The latest Xenomorph campaign was observed in mid-August 2023. In a significant shift from the previous modus operandi, the malware was distributed via counterfeit websites offering Chrome browser updates rather than through legitimate apps on the Google Play Store.
This change in strategy has made it more challenging for cybersecurity experts to track and counter the malware’s activities. However, thanks to Dutch security firm ThreatFabric, we have a clear understanding of the Trojan’s current operations and targets.

Xenomorph’s Current Targets

The current version of Xenomorph has significantly expanded its list of targets. It now includes over 35 financial institutions in the U.S. and several cryptocurrency wallets. This is a significant increase from the initial list of 56 European banks when the Trojan first emerged.
According to ThreatFabric, the current campaign has added dozens of new overlays for institutions from the U.S., Portugal, and multiple crypto wallets. This trend has been consistent amongst all banking malware families over the past year.

Xenomorph’s New Features

The authors of Xenomorph have added several new features to the malware in their latest update. These features include:

  • AntiSleep: This feature prevents the phone’s screen from turning off by creating an active push notification.
  • Touch Simulation: This allows the malware operators to simulate a simple touch at a specific screen coordinate.
  • Mimic: This feature allows the malware to impersonate another app.

The Xenomorph Threat Landscape

As per the analysis by ThreatFabric, Xenomorph is considered an extremely dangerous Android banking Trojan. Its ATS (Automatic Transfer System) engine is versatile and powerful, with multiple modules already created to support various manufacturer’s devices.
The Trojan is mainly focusing on Samsung and Xiaomi devices, which make up roughly 50% of the total Android market share. This makes the Trojan a significant threat to a large number of Android users worldwide.

The Bigger Picture: Collaborative Cybercrime

During their investigation, ThreatFabric analysts discovered that the payload hosting infrastructure used by Xenomorph was also serving other malware variants. This included Windows stealer malware such as Lumma C2 and RisePro, as well as a malware loader referred to as Private Loader.  This discovery suggests that the Xenomorph operators might be collaborating with other threat actors or possibly selling the Android Trojan as Malware-as-a-Service (MaaS).

Counteracting Xenomorph: What Can Be Done?

As Xenomorph continues to evolve and expand its reach, it’s crucial for individuals and organizations to take proactive measures to protect themselves. This includes installing a reliable security solution, regularly updating all software and apps, and being wary of suspicious websites and emails.
Users should also be cautious about prompts on mobile to update their browsers, as these are often part of malware distribution campaigns.


The emergence and evolution of Xenomorph underscore the importance of robust cybersecurity measures in today’s digital age. As cybercriminals continue to refine and enhance their methods, individuals and organizations need to stay one step ahead, always vigilant and proactive in their approach to cybersecurity.

About Purple Shield Security

Purple Shield Security is not your typical cybersecurity consulting firm. We are the guardians of your digital realm, committed to protecting your business from the constantly evolving landscape of cyber threats. With a dedicated team of passionate security professionals by your side, we go above and beyond mere data and system protection – we provide you with peace of mind. Our comprehensive range of services includes Managed Cybersecurity Services, Security Assessments, Penetration Testing, Incident Response, and more. By harnessing cutting-edge solutions and leveraging our expertise, we empower you to fortify your web applications and minimize vulnerability to attacks.
Don’t wait to secure your business. Get in touch with us today and discover how Purple Shield Security can revolutionize your cybersecurity defenses.