Build38 logo

Mobile banking

June 26, 2023

Xenomorph Trojan: A Growing Threat to Android Banking Apps

Xenomorph Trojan - Build38


Xenomorph Trojan: A Growing Threat to Android Banking Apps

As online banking becomes more convenient, a sinister foe is waiting to strike. The Xenomorph Trojan has advanced to its third generation, targeting a growing number of users.The Trojan preys on weak spots in Mobile banking Apps, allowing it to bypass 2FA authentication measures and put more than 400 targets at risk.Stay vigilant against this rising danger by understanding the Xenomorph Trojan’s traits, operations, and effective prevention methods.

What is Xenomorph Trojan?

The Xenomorph Trojan malware specifically aims at Android devices and can compromise the two-factor authentication techniques used by banking and financial applications. It emerged in February 2022 and has already undergone three generations, resulting in an increase in the danger it poses.

But then after that, who knew it would become a serious threat for Mobile banking!

“Xenomorph’s returned list of overlay targets includes applications from Spain, Portugal, Italy, and Belgium. Additionally, general-purpose Apps such as emailing services and cryptocurrency wallets are also on the list.”


Xenomorph's returned list of overlay - Build38
Figure 1: Xenomorph’s returned list of overlay.

Being engineered to bypass conventional security systems, this Trojan can remain hidden on an infected device for prolonged periods. Upon infiltration, it can effortlessly loot crucial pieces of information such as login details, banking data, and personal information. The Xenomorph Trojan operates through an ATS module that can set off authenticator Apps and extract authentication codes which are then exploited to circumvent two-factor authentication.

The Trojan’s primary targets are banking and financial applications. Its latest iteration can now aim at over 400 applications of this kind. Additionally, the Xenomorph Trojan has the capacity to take advantage of imperfections in third-party libraries and services utilised by the targeted applications, enhancing its resilience against detection and prevention.

Xenomorph 3rd generation: advanced capabilities

The Xenomorph Trojan’s third generation poses a more significant threat than its precursors, being even more sophisticated and hazardous.

The advanced capabilities Xenomorph 3rd generation include:

  • An Accessibility services-based runtime engine: A comprehensive engine that performs commands and automates tasks, which make it hard to spot the Trojan’s activity.

  • Automated Transfer System framework implementation: The Trojan targets Automated Transfer Systems (ATS) used by banking and financial Apps. This allows it to conduct fake transactions and move money to the hacker’s account, rendering it easier to steal sensitive data.

  • Increased targets: The third generation targets over 400 banking and financial Apps, as opposed to the first generation’s 56. This broadened target range allows the Trojan to infect a more significant number of devices and collect more sensitive data.

How does the Xenomorph Trojan work?

The Xenomorph Trojan is a complex malware that targets confidential information from unsuspecting victims. It spreads through phishing emails, disguised as legitimate messages from trustworthy sources, that activate the Trojan once a victim clicks on the link or downloads the attachment. As a result, the attacker has access to the victim’s device.

The most alarming aspect of the Xenomorph Trojan is its specific focus on banking apps and financial institutions. The Trojan can steal sensitive data such as usernames, passwords, and other valuable information, which can lead to identity theft and financial losses for its victims.

The Xenomorph Trojan’s follows ATS module and authentication code extraction and this is how it does it:

  • The Xenomorph Trojan’s deploys an Automated Transfer System (ATS) module that automates the process of transfer funds from the victim’s account directly to the attacker’s account.

  • Moreover, the Trojan can harvest authentication codes and bypass two-factor authentication methods, facilitating easy access to systems and breaches of security.

How can Build38 help detect and prevent the Xenomorph Trojan?

Ensuring Android device security and protecting sensitive information requires detecting and preventing the Xenomorph Trojan. This can be achieved through combining security measures and best practices in Mobile App protection. Transaction Authorization Key (TAK): Another useful solution is our Transaction Authorization Key (TAK). TAK generates a unique code for each transaction, which is required to complete it, preventing its repackaging as the initial hurdle to stop this Trojan.

For instance:

  • Mobile banking Apps that use TAK generate a distinct code for each transaction.

  • The code remains valid for a brief period, typically only a few minutes.

  • Specific information such as account data and transaction details are used to generate the code.

  • After the transaction is concluded, the code expires and cannot be misused by attackers.

This makes it complicated for attackers to make unauthorised transfers and can be used to add an additional layer of security to banking transactions and protect against the Xenomorph Trojan.

Runtime application self-protection (RASP): One effective security measure is runtime application self-protection (RASP). To extract the authenticator codes, the Trojan needs to compromise the authenticator application at runtime to extract the authentication code displayed by the application. With TAK built into the authenticator application this compromise attempt would be detected by Build38’s RASP system. This approach involves embedding security controls within the application itself to detect and prevent malicious behaviour during runtime. RASP can help prevent the Xenomorph Trojan from compromising a device and stealing confidential data.

Other Preventive Measures: The other security measures for preventing Xenomorph Trojan include:

Security Measure/Best Practice      Description
Keep Android device up to date Install the latest security patches and updates to ensure security
Avoid downloading Apps from untrusted sources Installing Apps only from official app stores reduces the risk of downloading malware
Be vigilant when opening emails Attackers may use phishing attacks to trick users into downloading malware or revealing sensitive information

Keep in mind that Build38’s T.A.K is designed to protect the application itself independently of the system it is in. This means that even if the device is infected with an application zombified by the Trojan, the data is protected by T.A.K’s secure storage in persistent memory, by the RASP system at runtime and by the secure channel when travelling over the network.

Protect your Mobile Apps with Build38

The Xenomorph Trojan is a dangerous banking Trojan that can steal sensitive information from Android devices. The third generation of the Trojan is even more challenging to detect and prevent due to advanced capabilities such as the Automated Transfer System framework implementation and accessibility services-based runtime engine.To prevent the Xenomorph Trojan, users can implement runtime application self-protection (RASP), use Transaction Authorization Key (T.A.K), and update their devices with security patches offered by Build38. To learn more about how to protect Mobile banking Apps

References of this article:

 Deeba (2022). New Android banking malware Xenomorph found in Play Store apps. [online] Available at: [Accessed 19 Apr. 2023].

Lakshmanan, R. (2023). Xenomorph Android Banking Trojan Returns with a New and More Powerful Variant. [online] The Hacker News. Available at: [Accessed 19 Apr. 2023].

Research, R. and Team, I.F. (2022). SharkBot: a ‘new’ generation Android banking Trojan being distributed on Google Play Store. [online] NCC Group Research. Available at: [Accessed 30 Apr. 2022].

Staff, S.C. (2023). Updated Xenomorph banking trojan emerges. [online] SC Media. Available at: [Accessed 19 Apr. 2023].



Related posts

Discover the next generation 
of mobile app security