These spy apps have been able to steal your bank passwords

Google has removed two newly detected malicious apps from the Play Store , one of which was used to pose as a lifestyle app and another as an expense tracker, when in fact they were distributing Xenomorph banking malware.

Despite the fact that these are only two applications, they are not a joke because they could get hold of important data such as bank passwords with all the consequences that this entails. If you have installed them, they could affect you without you noticing, so we tell you what they are and how they work. If you have any uninstall it immediately from your mobile.

spy apps

These apps steal your bank details

According to published analysis by researchers Himanshu Sharma and Viral Gandhi, Xenomorph is confirmed to be a Trojan that steals banking app credentials on users’ devices. In addition, it can intercept SMS and notifications from affected people to steal one-time passwords and multi-factor authentication requests, which is a great danger.

One of the apps was lifestyle and the other posed as an expense tracking service . In both, the behavior is similar to that described. The two applications had been created to steal your bank details, but the latter could not extract the URL used to see where the malware came from.

None of them are still in the Google app store, although it doesn’t hurt to check if you have it or someone you know has installed it.

The two malicious applications are these:

  • Todo: Day manager (com.todo.daymanager) – More than 1000 downloads

todo day manager app maliciosa

  • 経費キーパー(com.setprice.expenses) – Over 1000 downloads

troyano bancario

This is how the apps work, which are no longer in the Play Store

Both applications work as droppers , which means that they are harmless in themselves, but they are used to recover the actual payload, which in the first case is hosted on GitHub and in the second it was not possible to know where it was going.

Xenomorph is known to have been first documented by ThreatFabric in early February of this year. This Trojan abuses Android‘s accessibility permissions to perform layered attacks, presenting fake login screens on top of legitimate banking apps to steal its victims’ credentials.

como funciona troyano

If you fall for it, they can get hold of your bank details and steal your money , among many other things. In addition, the malware leverages a Telegram channel description to decode and build the command and control (C2) domain used to receive additional commands.

This discovery was made after another 4 unauthorized apps were detected on Google Play directing their victims to malicious websites . They are these, in case you haven’t heard yet.

  • Bluetooth App Sender (
  • Bluetooth Auto Connect (com.bluetooth.autoconnect.anybtdevices)
  • Driver: Bluetooth, Wi-Fi, USB (com.driver.finder.bluetooth.wifi.usb)
  • Mobile transfer: smart switch (

Finally, Google has removed the apps from its store and banned the developer. It does not hurt that you check if you have any of the apps that we have mentioned and make your mobile security extreme with a good antivirus. Also, be very careful what you install. Your phone is more exposed to dangers than you imagine.