An Android banking trojan named Xenomorph has been observed spreading using the official Google Play Store. The trojan targeted 56 European banks to harvest sensitive information.

About Xenomorph trojan

According to researchers, the in-development variant of Xenomorph overlaps with another banking trojan, Alien.
  • The trojan focuses on bypassing Google Play Store's security protections by masquerading as productivity apps, such as Fast Cleaner, to fool unsuspecting victims into installing it.
  • Even though Xenomorph is a work-in-progress, it effectively overlays and spreads via official app stores.
  • It comes with a modular engine that abuses accessibility services, which may allow advanced capabilities.

Additional insights

  • Xenomorph trojan injects rogue overlay screens at the top of the targeted apps in Italy, Portugal, Belgium, and Spain. Additionally, it targets emailing services and cryptocurrency wallets.
  • It has a notification interception feature to obtain 2FA tokens received through SMS and get a list of installed apps. These results are then exfiltrated to a remote C2 server.


The Xenomorph trojan is focused on landing applications on official markets such as Google Play Store. At present, the trojan is under development and could become more advanced in the future. Thus, experts recommend using an anti-malware app in smartphones and monitoring app behavior after installations.
Cyware Publisher