ALERT: Detection of software stealing users’ banking credentials on phones


The Nigerian Communications Commission’s Computer Security Incident Response Team (CSIRT) has discovered new malware that steals users’ banking app login credentials on Android devices.

According to a security advisory from the Commission’s CSIRT, the software identified as Xenomorph targeted 56 European financial institutions. It is said to have a high impact and vulnerability rate.

In a statement, Dr. Ikechukwu Adinde, director of public affairs for the Commission, explained that Xenomorph is spread by an app that was slipped into Google Play Store and masquerading as a legitimate app called “Fast Cleaner”.

He said it’s apparently meant to eliminate junk, boost device speed, and optimize battery life.

In reality, the app, according to the statement, is just a means through which the Xenomorph Trojan could spread easily and efficiently.

He pointed out that the main intent of the malware is to steal credentials, combined with the use of SMS and notification interception to log in and use potential two-factor authentication tokens.

Once operational on a victim’s device, Xenomorph, according to the team, can collect device and short messaging service (SMS) information, intercept notifications and new SMS messages, perform overlay and prevent users from uninstalling it. The threat also asks for accessibility services privileges, which allows it to grant itself other permissions.

“To avoid early detection or being denied access to the PlayStore, ‘Fast Cleaner’ was released before the malware was placed on the remote server, making it difficult for Google to determine that such an app is used for malicious actions.”

The team further noted that the malware also steals victims’ banking credentials by overlaying fake login pages on top of legitimate ones.

“Considering that it can also intercept messages and notifications, it allows its operators to bypass SMS two-factor authentication and log into victims’ accounts without alerting them.

“Xenomorph was found to target 56 online banking apps, 28 from Spain, 12 from Italy, nine from Belgium and seven from Portugal, as well as cryptocurrency wallets and general-purpose apps like mobile services. The Fast Cleaner app has now been removed from the Play Store, but not before garnering over 50,000 downloads,” the CSIRT security advisory said.

NCC therefore advised telecom consumers to be on the alert so as not to be victims of this manipulation. He also urged telecom consumers and other internet users, especially those using Android devices, to use reliable antivirus solutions and update them regularly with their latest definitions.

In addition, the Commission implored consumers and other stakeholders to always update banking apps to their latest versions.


Comments are closed.