Xenomorph¶
Xenomorph is an Android banking trojan developed by the Hadoken Security Group, notable for its rapid feature iteration across three major versions between February 2022 and mid-2023. Version 3 introduced a full ATS (Automated Transfer System) engine powered by a JSON-based scripting runtime that executes fraud workflows autonomously on the victim's device. With 400+ targeted financial institutions spanning multiple continents, Xenomorph represents the trajectory of modern Android bankers: fast development cycles, MaaS ambitions, and increasingly autonomous on-device fraud.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | February 2022 |
| Status | Active (2024) |
| Type | Banking trojan, ATS fraud |
| Aliases | Xenomorph.A (v1), Xenomorph.B (v2), Xenomorph.C (v3) |
| Attribution | Hadoken Security Group |
| Distribution | Google Play (via GymDrop, Zombinder), direct download |
Origin and Lineage¶
ThreatFabric discovered Xenomorph in February 2022 on the Google Play Store, where it had accumulated over 50,000 downloads through a dropper disguised as a "Fast Cleaner" utility. At discovery, ThreatFabric noted code overlaps with the Alien banking trojan (itself a Cerberus derivative), suggesting the authors studied or borrowed from that codebase.
In May 2022, the Hadoken Security Group publicly claimed ownership of Xenomorph and their dropper operation GymDrop on a dark web forum. ThreatFabric attributed both products to the same group, which had been active since at least late 2021 with GymDrop as their initial offering.
ThreatFabric also linked BugDrop to Hadoken, a dropper designed to bypass Android 13's restrictions on sideloaded apps requesting accessibility permissions. BugDrop was found in development in August 2022, indicating the group's investment in solving the distribution pipeline alongside the payload itself.
Distribution¶
Xenomorph distribution has rotated through multiple dropper services:
| Period | Distribution Method | Details |
|---|---|---|
| Feb 2022 | GymDrop on Google Play | "Fast Cleaner" app, 50,000+ installs |
| Late 2022 | Zombinder | Payload bound to legitimate currency converter app |
| 2023 | Zombinder, direct download | Zombinder operators later claimed to shut down |
| Late 2023 | Direct distribution sites | Fake Chrome/Play Store download pages |
GymDrop: Hadoken's own dropper operation, managed in-house. Dropper apps on Google Play fetch and install the Xenomorph payload after the initial app passes review.
Zombinder: A third-party service that "binds" malicious payloads to legitimate APKs. ThreatFabric covered Zombinder in December 2022, documenting how Xenomorph was delivered via a currency converter app that downloaded a fake "Google Protect" update containing the actual payload.
Capabilities¶
Version Evolution¶
| Version | Date | Target Count | Key Features |
|---|---|---|---|
| v1 (Xenomorph.A) | Feb 2022 | 56 | Overlay injection, notification/SMS interception |
| v2 (Xenomorph.B) | Jun 2022 | ~100 | Complete code rewrite, modular architecture, limited wild activity |
| v3 (Xenomorph.C) | Mar 2023 | 400+ | Full ATS engine, JSON scripting runtime, cookie stealing, MFA bypass |
v1 Capabilities¶
| Capability | Implementation |
|---|---|
| Overlay injection | WebView-based injects for 56 EU banking apps |
| SMS interception | Reads and intercepts incoming SMS for 2FA |
| Notification interception | Captures notification content via accessibility |
| App listing | Reports installed apps to C2 for target matching |
v1 lacked accessibility logging, remote actions, and any form of ATS. It was a basic overlay banker with limited scope.
v2 Architecture¶
ThreatFabric noted that v2 (June 2022) was a complete rewrite that made the codebase modular and extensible. It saw only brief testing bursts in the wild, suggesting it served as a transitional build preparing the architecture for v3's feature set.
v3 ATS Engine¶
The v3 ATS framework is Xenomorph's defining feature. It operates as a JSON-scripted runtime engine powered by accessibility services:
- The C2 sends JSON scripts defining sequences of actions
- Xenomorph parses the JSON into an ordered list of operations
- Each operation maps to an accessibility action (tap, swipe, text input, wait, conditional check)
- The engine executes operations sequentially, handling banking app navigation, credential entry, transfer initiation, and confirmation
- Third-party authenticator app content is read via accessibility to bypass MFA
The scripting approach means operators can define new fraud workflows without updating the malware binary. Target-specific scripts handle the unique UI flow of each banking app.
v3 Full Feature Set¶
| Capability | Implementation |
|---|---|
| ATS engine | JSON-scripted runtime, autonomous transfer execution |
| Overlay injection | WebView injects for 400+ targets |
| Keylogging | Accessibility event capture |
| SMS/notification interception | Read, intercept, suppress messages |
| Cookie stealing | Captures session cookies from target apps |
| MFA bypass | Reads TOTP codes from authenticator apps via accessibility |
| Screen capture | On-demand screenshots sent to C2 |
| Anti-removal | Prevents uninstall through accessibility |
Technical Details¶
Modular Architecture (v2+)¶
The v2 rewrite introduced a module-based system where each capability runs as an independent component. Modules can be loaded, updated, or replaced without modifying the core malware binary. This design carried forward into v3 and enabled the ATS engine to be delivered as an add-on module.
ATS Script Structure¶
The ATS engine processes JSON-formatted scripts from C2. Each script defines:
- Target: the package name of the banking app
- Steps: ordered array of accessibility actions
- Conditions: checks for UI state before proceeding (e.g., verify a button is visible)
- Data: transfer parameters (recipient, amount) injected into the flow
The engine handles error recovery, retrying steps when expected UI elements are not found within a timeout period.
C2 Communication¶
| Component | Details |
|---|---|
| Protocol | HTTPS |
| Data format | JSON payloads |
| Configuration | Target lists, inject URLs, ATS scripts delivered per-device based on installed apps |
| Commands | Install module, update config, execute ATS script, capture screen, steal cookies |
Target Regions and Financial Institutions¶
| Version | Regions | Notable Targets |
|---|---|---|
| v1 | Spain, Portugal, Italy, Belgium | 56 EU banking apps |
| v2 | Same as v1, expanded | ~100 apps |
| v3 | EU, US, Middle East, Asia | 400+ banking apps, cryptocurrency wallets |
ThreatFabric's v3 analysis noted the target list expansion represented a 6x increase over prior versions, with institutions spanning all continents.
September 2023 US expansion: ThreatFabric documented Xenomorph targeting 30+ US financial institutions including Chase, Citi, Bank of America, Capital One, and multiple cryptocurrency platforms. This marked the first deliberate US campaign.
Notable Campaigns¶
February 2022: ThreatFabric identified Xenomorph v1 on Google Play via a "Fast Cleaner" dropper app with 50,000+ downloads. The malware targeted 56 European banking apps with overlay injection and SMS interception.
May 2022: Hadoken Security Group claimed ownership of Xenomorph and GymDrop on a dark web forum, establishing public attribution.
June 2022: Xenomorph v2 appeared in brief testing campaigns. ThreatFabric noted the complete code overhaul and modular architecture as preparation for future capabilities.
August 2022: ThreatFabric discovered BugDrop, a Hadoken-developed dropper designed to bypass Android 13's sideloading restrictions, indicating the group was actively investing in distribution infrastructure.
March 2023: Xenomorph v3 was disclosed by ThreatFabric, distributed via Zombinder-bound currency converter apps. The ATS engine and expanded target list of 400+ institutions represented a major operational leap.
September 2023: ThreatFabric reported Xenomorph targeting 30+ US banks for the first time, distributed through fake Chrome browser download pages rather than Play Store droppers.