Google Play Store is considered to be a trusted source for discovering and installing apps, however, cybercriminals have repeatedly found ways to sneak past security barriers in hopes of luring unsuspecting users into downloading malware-laced apps. Recently, a team has discovered the Xenomorph banking trojan embedded in two applications in the Google Play Store.

Latest findings

According to Zscaler ThreatLabz researchers, the two malicious apps are Todo: Day manager, which poses as a lifestyle app; and Expense Keeper. Both apps function as dropper.
  • Todo has over 1,000 downloads. When it is first opened, it reaches out to a Firebase server to get the malware payload URL and downloads Xenomorph samples, hosted on Github.
  • The trojan later reaches out to the C2 servers decoded either via Telegram page content or from a static code routine to request further commands, extending the infection.
  • The other app Expense Keeper exhibits similar behavior as Todo, however, its downloader parameter is not enabled. Thus it was not possible for the app to retrieve the Dropper URL for the payload upon execution.

Google has removed these malicious dropper apps from the Play Store.

Xenomorph capabilities

First detected in February, Xenomorph is known for abusing Android's accessibility permissions to conduct overlay attacks. 
  • It asks users to enable access permission and adds itself as a device admin and prevents users from disabling Device Admin, making it uninstallable from the device.
  • It creates an overlay with fake login screens over legitimate banking apps to trick users into entering their credentials. 
  • It steals credentials from banking applications on users' devices. 
  • In addition, it is capable of intercepting users' SMS messages and notifications, enabling it to steal one-time passwords and MFA verification requests.


Though Google removes offending apps from its store, they often remain to live on third-party app stores and marketplaces. Therefore, users are recommended to refrain from granting unnecessary permissions to apps while downloading apps from app stores and verify their legitimacy by checking for developer information, reading reviews, and scrutinizing their privacy policies.
Cyware Publisher