MasterFred Using Gymdrop to Distribute Xenomorph Android Banking Trojan

Hostile Downloader Masquerading As “QR Scanner” Application

MasterFred was discovered in November 2021 as an undetected new variant of the Android Banking Trojans targeting Poland and Turkey. Cyble Research Labs (CRL) published a detailed technical analysis of MasterFred after its discovery, and we have been closely monitoring the activity of evolving Banking Trojans.

While conducting a routine threat hunting exercise, CRL came across a Twitter post where the security researcher mentioned the sample of MasterFred hosted on opendir malicious website hxxp://repo.had0k3n[.]tech.

The Threat Actor (TA) known as Hadoken Security (a group of malware developers) is behind the development of this MasterFred malware, including Xenomorph, MaqSpy RAT, and Gymdrop dropper.

Figure 1 – Hadoken Security Post

Based on our detailed investigation, the sample was identified as a new variant of MasterFred, which uses Gymdrop to download Xenomorph Android Banking Trojan.

Various malware families use the Dropper as a Service (DaaS) model to bypass the security mechanisms implemented by the Google Play Store. In this case, the malware uses Gymdrop dropper to download an advanced Android Banking Trojan to infect the victim’s device.

The new MasterFred variant is missing the banking overlay HTML file present in the assets folder, as shown below.

Figure 2 – Comparison of New and Old MasterFred variants

The new variant of Masterfred acts as a hostile downloader instead of performing banking Trojan activities. The TA has added an extra module that checks whether the malicious application is present on the Google Play Store and downloads the Xenomorph malware.

Our analysis indicates that the TA has designed this malicious application to host on the Google Play Store as a hostile downloader to distribute the Xenomorph malware.

Similar behavior has been observed in the past when the TA has published banking Trojans like Hydra, Alien, Octo, and several others on the Google Play Store disguised as Document Manager or Antivirus applications and used droppers to download malware after installation.

The infection mechanism is explained in detail in the Technical Analysis section.

Technical Analysis

APK Metadata Information   

  • App Name: another QRScan
  • Package Name: hdkjvi.looawt.fpfzys
  • SHA256 Hash: 214a576b46241bdf76bb4dbeacc7a456905eacd345fc515e0b38d6976c271168


Figure 3 shows the metadata information of the application.  

Figure 3 – MasterFred App Metadata Information 

The malware pretends to be the QR code scanner application to hide its malicious activity. The TA uses benign application names and logos to publish the malware on the Google Play Store to appear genuine.

After installation, the malware connects to the Onion URL and receives the malicious URL hxxps://anotherqrscannerapp[.]one/get_random_file in response which downloads the Xenomorph Banking Trojan file named “3.apk”.

Figure 4 – Connecting to Onion URL and receiving malicious URL to download Xenomorph

Before installing the Xenomorph malware on the infected device, MasterFred malware checks whether the application was published on the Play Store or not. If MasterFred is not present in the Play Store, the malware does not connect to the malicious URL received in response and download malware.

Figure 5 – Code to check whether the malware was published on the Play Store

The below image showcases the Gymdrop admin panel of the malicious URL received in the response of the Onion URL.

Figure 6 – Admin Panel of malicious URL

Xenomorph Banking Trojan

APK Metadata Information   

  • App Name: Android Security Service
  • Package Name: deceva.lgmihi.wtcozl
  • SHA256 Hash: ab345951a3e673aec99f80d39fa8f9cdb0d1ac07e0322dae3497c237f7b37277


Figure 7 – Xenomorph App Metadata Information 

Manifest Description  

The malicious application mentions 18 permissions, of which the TA exploits 5. The harmful permissions requested by the malware are:  

Permission  Description 
RECEIVE_SMSAllows an application to receive SMS messages
READ_SMSAccess phone messages
READ_EXTERNAL_STORAGEAllows the app to read the contents of the device’s external storage
WRITE_EXTERNAL_STORAGEAllows the app to write or delete files to the external storage of the device
SYSTEM_ALERT_WINDOWAllows an app to create windows

Source Code Review  

After installation of the downloaded APK file, the malware prompts the victim to turn on the Accessibility Service. Once the Accessibility Service is granted, the malware starts abusing the service to auto-enable permissions, activate device admin, and collect key logs.

Figure 8 – Accessibility Service

The malware sends the encrypted list of applications installed on the infected device to the Command & Control (C&C) server to identify the targeted application.

Figure 9 – Malware sending the installed application list

Once the targeted application is identified, the malware receives the HTML overlay page from the URL hxxp://x2u2[.]art/es/[.]html. In this case, the malware receives the overlay payload for “BBVA bank.”

Figure 10 – Malware receiving the HTML overlay page

When the victim tries to interact with the installed banking application, the malware displays the downloaded HTML injection page to steal the credentials entered by the victim.

The below image shows the HTML phishing page used to trick the victim into falling for the phishing scheme while attempting to access the genuine application.

Figure 11 – Fake phishing pages targeting banking applications


According to our research, the TA seems to be developing the malware to publish it on the Google Play Store, indicating it is still in development. In the coming days, we may observe the malware dropping the Xenomorph Banking Trojan hosted on the Play Store.

Our Recommendations 

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:   

How to prevent malware infection? 

  • Download and install software only from official app stores like Play Store or the iOS App Store. 
  • Use a reputed antivirus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices. 
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible. 
  • Be wary of opening any links received via SMS or emails delivered to your phone. 
  • Ensure that Google Play Protect is enabled on Android devices. 
  • Be careful while enabling any permissions. 
  • Keep your devices, operating systems, and applications updated. 

How to identify whether you are infected? 

  • Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices. 
  • Keep an eye on the alerts provided by Antiviruses and Android OS and take necessary actions accordingly. 

What to do when you are infected? 

  • Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data. 
  • Perform a factory reset. 
  • Remove the application in case a factory reset is not possible. 
  • Take a backup of personal media Files (excluding mobile applications) and perform a device reset. 

What to do in case of any fraudulent transaction? 

  • In case of a fraudulent transaction, immediately report it to the concerned bank. 

What should banks do to protect their customers? 

  • Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails. 

MITRE ATT&CK® Techniques 

TacticTechnique IDTechnique Name
Initial AccessT1476Deliver Malicious App via Other Mean.
Initial AccessT1444Masquerade as Legitimate Application
CollectionT1412Capture SMS Messages
CollectionT1517Access Notifications
CollectionT1533Data from Local System
DiscoveryT1421System network connection discovery
Command and ControlT1571Non-standard port
Command and ControlT1573Encrypted data
Credential AccessT1417Input Capture

Indicators of Compromise (IOCs) 

IndicatorsIndicator TypeDescription
214a576b46241bdf76bb4dbeacc7a456905eacd345fc515e0b38d6976c271168SHA256Hash of the analyzed MasterFred APK file
a7a2fbb022e391618f8f62acf07c7d4681f98775SHA1Hash of the analyzed MasterFred  APK file 
4b3c99ae792e7389c43102060633b4ccMD5Hash of the analyzed MasterFred APK file
hxxps://txxiptfyfj3tr2v6orvkyvzksm5j44ldekbvdd5j74imqumpcmknf4yd.onion.wsURLC&C server
hxxp://repo.had0k3n[.]techURLMalware distribution site
hxxps://anotherqrscannerapp[.]oneURLGymdrop URL
ab345951a3e673aec99f80d39fa8f9cdb0d1ac07e0322dae3497c237f7b37277SHA256Hash of the analyzed APK file
167036086435e133fab66ed14c51b7812b314c51SHA1Hash of the analyzed APK file 
42efd88844b49e05ec19dd831354093aMD5Hash of the analyzed APK file
hxxp://gogoanalytics[.]clickURLC&C server
hxxp://x2u2[.]artURLInjection downloader URL

Scroll to Top