Android is a very capable operating system, and is fully-equipped with tools and features to make it even more powerful.
But to some people, the operating system still lacks a thing or two, or maybe more. Among the things Android users are after, is extending battery usage and making phones run faster. Old Android and feature phones do have their own disadvantages, and this is why apps to help them with these issues exist.
One app that promises to help, is called the 'Fast Cleaner'.
Posing as an innocent and helpful "battery saver & phone booster," Fast Cleaner managed to get more than 50,000 installs before Google finally caught on to the app's real intentions.
Targeting users of dozens of financial institutions in Spain, Portugal, Italy, and Belgium, the app is a host for a banking malware that can steal credentials and sensitive financial information, take over accounts, perform unauthorized transactions, intercept text messages and notifications without users intervention or knowledge, and more.
According to a report from the researchers at fraud and cybercrime prevention company ThreatFabric, the app has what it's called the 'Xenomorph' malware.
After Android users install this Fast Cleaner app, the first thing the app does is asking users to grant it the Accessibility Service permission. When granted, the app can use it to grant itself additional permissions as needed.
This way, it can add features like keylogging and behavioral data collection.
The app then sends its command and control center a list of installed packages users have on their phones, in order to download suitable overlays for those apps.
To evade rejection during the application review from the Google Play Store, Fast Cleaner is clean during submission time, and only download its payload after installation.
"All in all, the malware may add next-level capabilities at any time, as only minor code implementations and modifications are required to activate extensive data siphoning functions," explained the researchers.
"Despite being a work-in-progress, Xenomorph is already sporting effective overlays and being actively distributed on official app stores," ThreatFabric's founder and CEO, Han Sahin, said.
"In addition, it features a very detailed and modular engine to abuse accessibility services, which in the future could power very advanced capabilities, like ATS."
ThreatFabric recognized Xenomorph as a member of the "Gymdrop" dropper family, first discovered in November 2021.
The name "Xenomorph" comes from the name of the main antagonist featured in the horror film franchise Alien.
The species is an alien being that lacks any technological civilization of any kind. Instead, the creatures are primal, extremely aggressive predatory creatures, with no higher goal than the preservation and propagation of their own species by any means necessary.
Usually, their biological life cycle involves traumatic implantation of endoparasitoid larvae inside living hosts. When the larvae mature, they will erupt from the host, and after a short incubation period, the aliens will rapidly mature from juvenile into adulthood within hours.
In this malware case, the Xenomorph was apparently discovered in its infancy stage of its development, meaning that some of its malicious capabilities were not yet operational when ThreatFabric analyzed it.
In other words, the Xenomorph malware is a bit less dangerous that it is supposed to.
However, it should be noted that the findings does not prevent the authors from further developing the malware. In the researchers words, it could reach its full potential, "comparable to other modern Android Banking trojans."
The best way to deal with banking malware, is to install apps only from Google Play Store, analyze app permissions, remove any malicious app, and check for any unauthorized transactions. Users should also practice security precautions, like frequently changing passwords, PIN numbers and so forth, and use two-factor authentication.
Further reading: This 'Predator' Malware Hunts For Data By Exploiting Zero-Day Android Weaknesses