New DroidBot Android banking malware spreads across Europe

Android

A brand new Android banking malware named ‘DroidBot’ makes an attempt to steal credentials for over 77 cryptocurrency exchanges and banking apps within the UK, Italy, France, Spain, and Portugal.

Based on Cleafy researchers who found the brand new Android malware, DroidBot has been energetic since June 2024 and operates as a malware-as-a-service (MaaS) platform, promoting the software for $3,000/month.

No less than 17 affiliate teams have been recognized utilizing malware builders to customise their payloads for particular targets.

Though DroidBot lacks any novel or refined options, evaluation of considered one of its botnets revealed 776 distinctive infections throughout the UK, Italy, France, Turkey, and Germany, indicating a big exercise.

Additionally, Cleafy says the malware seems to be underneath heavy improvement on the time, with indicators of making an attempt enlargement to new areas, together with Latin America.

The DroidBot MaaS operation

DroidBot’s builders, who seem like Turkish, present associates with all of the instruments required to conduct assaults. This consists of the malware builder, command and management (C2) servers, and a central administration panel from which they’ll management their operations, retrieve stolen knowledge, and concern instructions.

Creators claiming DroidBot was tested on Android 14
Creators claiming DroidBot works properly on Android 14
Supply: Cleafy

A number of associates function on the identical C2 infrastructure, with distinctive identifiers assigned to every group, permitting Cleafy to determine 17 menace teams.

Affiliates extracted from the sample's configuration
Associates extracted from the pattern’s configuration
Supply: Cleafy

The payload builder permits the associates to customise DroidBot to focus on particular functions, use totally different languages, and set different C2 server addresses.

Associates are additionally supplied entry to detailed documentation, assist from the malware’s creators, and entry to a Telegram channel the place updates are revealed usually.

All in all, the DroidBot MaaS operation makes the barrier of entry pretty low for inexperienced or low-skilled cybercriminals.

Admin panel giving affiliates complete control
Admin panel giving associates full management
Supply: Cleafy

Impersonating in style apps

DroidBot is commonly masqueraded as Google Chrome, Google Play retailer, or ‘Android Safety’ as a option to trick customers into putting in the malicious app.

Nonetheless, in all circumstances, it acts as a trojan making an attempt to steal delicate data from apps. 

DroidBot's masking apps
DroidBot’s masking apps
Supply: Cleafy

The primary options of the malware are:

  • Keylogging – Capturing each keystroke entered by the sufferer.
  • Overlaying – Displaying faux login pages over respectable banking app interfaces.
  • SMS interception – Hijacks incoming SMS messages, notably these containing one-time passwords (OTPs) for banking sign-ins.
  • Digital Community Computing – VNC module provides associates the potential to remotely view and management the contaminated gadget, execute instructions, and darken the display screen to cover the malicious exercise.

A key side of DroidBot’s operation is the abuse of Android’s Accessibility Companies to watch person actions and simulate swipes and faucets on behalf of the malware. Due to this fact, should you set up an app that requests unusual permissions, just like the Accessibility Companies, you must instantly change into suspicious and deny the request.

Among the many 77 apps DroidBot makes an attempt to steal credentials, some standouts embody Binance, KuCoin, BBVA, Unicredit, Santander, Metamask, BNP Paribas, Credit score Agricole, Kraken, and Garanti BBVA.

To mitigate this menace, Android customers are suggested to solely obtain apps from Google Play, scrutinize permission requests upon set up, and ensure Play Defend is energetic on their gadgets.

Sensi Tech Hub
Logo