NCC warns telecoms operators, subscribers of new malware

Nigerian Communications Commission’s Computer Security Incident Response Team (CSIRT) has discovered newly hatched malicious software that steals users’ banking app login credentials on Android devices.

According to a security advisory from the NCC CSIRT, yesterday, the malicious software called “Xenomorph” targeted 56 financial institutions from Europe and has a high impact and high vulnerability rate.

The main intent of the malware is to steal credentials, combined with the use of Short Messaging Service (SMS) and notification interception to login and use potential two-factor authentication tokens.

Xenomorph is propagated by an application that was slipped into Google Play Store and masquerades as a legitimate application called “Fast Cleaner” ostensibly meant to clear junk, increase device speed and optimise the battery. In reality, this app is only a means by which the Xenomorph Trojan can be propagated easily and efficiently.

To avoid early detection or being denied access to the Play Store, “Fast Cleaner” was disseminated before the malware was placed on the remote server, making it hard for Google to determine that such an app is being used for malicious actions.

NCC explained that once up and running on a victim’s device, Xenomorph can harvest device information and SMS, intercept notifications and new SMS messages, perform overlay attacks, and prevent users from uninstalling it. The threat also asks for accessibility services privileges, which allow it to grant itself further permissions.

The commission said the malware also steals victims’ banking credentials by overlaying fake login pages on top of legitimate ones. Considering that it can also intercept messages and notifications, it allows its operators to bypass SMS-based two-factor authentication and log into the victims’ accounts without alerting them.

“Xenomorph has been found to target 56 Internet banking apps, 28 from Spain, 12 from Italy, nine from Belgium, and seven from Portugal, as well as cryptocurrency wallets and general-purpose applications, like email services.

“The Fast Cleaner app has now been removed from Play Store but not before it garnered 50,000+ downloads,” the CSIRT advisory said.

NCC advised telecoms consumers to be on alert to avoid falling victim to this manipulation. Accordingly, it urged consumers and other Internet users, particularly those using Android-powered devices, to deploy trusted antivirus solutions and update them regularly to the latest definitions. The commission also implored consumers and other stakeholders to always update banking applications to their most recent versions.