ThreatFabric, the group that discovered the malware says it shares similarities with another banking trojan, Alien, and not just the naming convention used. It also appears to be under heavy development. Researchers say that is it built on a modular engine so that it can abuse services present in Android like the accessibility service. This is service is like the keys to the kingdom. When a user grants an application access to this service it allows a malicious application like Alien and Xenomorph full control over the screen, device input and, in some cases, to grant itself additional permissions as needed.
The App being used by Xenomorph appears to be a performance enhancing app called “Fast Cleaner” and is no longer visible in the Play Store (as of this writing) although it appears to have been downloaded and installed 50,000 times according to screenshots of the app page. This does not mean that there are not other versions of this malware planned for future release via the Play Store or that there are not others lurking there. Considering the number of poisoned Apps that are being discovered in the Play Store, Android users are advised to use caution when installing any apps there.
The actual malicious application had at the time of its discovery, the ability to monitor and intercept SMS messages and perform overlay attacks. This means that it can capture credentials and one-time passwords. Like many recent banking trojans it gathers information on installed apps and packages, this information is used by the malware to present the proper overlays used during the attacks. ThreatFabric researchers also noted that the developers were working on additional functionality like keylogging and behavior collection and monitoring.
The Android Accessibility Service has been an often-abused vector of attackers; it has prompted Google to revise what applications can and cannot do with the underlying permission set. Google is going to require a Permissions Declaration Form for any app that wants to use the API. Although this new policy went into effect in Mid 2021 it does not affect anything that was put into the Google Play Store before that. It is also not likely to slow down the abuse of this API as it has such a wide control set, it is going to continue to be a target for attackers looking for quick compromise. Users that are presented with an App that is requesting this level of permission are advised to remove the app in question unless it is one that really would need it (like a real accessibility app)