DroidBot Malware: New Threat Targets 77 Banking and Crypto Apps – What You Need to Know

  • Home » DroidBot Malware: New Threat Targets 77 Banking and Crypto Apps – What You Need to Know
Android
Featured News Latest News Latest Vulnerabilities Security , , , , , ,

DroidBot Malware: New Threat Targets 77 Banking and Crypto Apps – What You Need to Know

A new Android malware called DroidBot has emerged as a significant threat, targeting over 77 banking and cryptocurrency apps across regions like the UK, Italy, France, Spain, and Portugal. Discovered in December 2024 by Cleafy researchers, the malware has been active since June 2024 and operates as a malware-as-a-service (MaaS) platform.

Digital-Threats-and-Their-Solutions DroidBot Malware: New Threat Targets 77 Banking and Crypto Apps – What You Need to Know

Sophisticated Features of DroidBot

DroidBot is a sophisticated Android Remote Access Trojan (RAT) that includes characteristics typically found in spyware. It has traditional hidden VNC and overlay capabilities. The malware includes a keylogger and monitoring routines that enable the interception of user interactions, making it a powerful tool for surveillance and credential theft.

Dual-Channel Communication

One of DroidBot’s unique features is its dual-channel communication system. Inbound commands, like overlay target parameters, are received over HTTPS, while outgoing data from compromised devices is sent using the MQTT (Message Queuing Telemetry Transport) protocol. This separation improves its operational flexibility and robustness.

Target List and Spread

The malware targets 77 different organizations, including national organizations, cryptocurrency exchanges, and banks. Active campaigns have been detected in countries including the United Kingdom, Italy, France, Spain, and Portugal, indicating a potential spread into Latin America.

Decoy Tactics

Attackers use popular decoys commonly seen in banking malware distribution efforts to trick victims into downloading and installing DroidBot. The malware poses as well-known banking apps, Google services, or generic security apps. This tactic makes it difficult for users to identify the malicious nature of the app.

Accessibility Services Exploitation

DroidBot’s malicious operations mostly rely on abusing Android’s Accessibility Services. This allows the malware to perform keylogging and overlay attacks, further enhancing its capabilities for stealing sensitive information.

MaaS Infrastructure

An analysis of DroidBot samples revealed its Malware-as-a-Service (MaaS) infrastructure, with 17 different affiliate organizations identified and given unique identifiers. This infrastructure allows for a wide distribution and continuous development of the malware.

Developer Insights

Based on the information found in malware samples, researchers believe that most of its developers speak Turkish. The malware also seems to be actively being developed, with features like obfuscation, emulator checks, and multi-stage unpacking differing between samples.

Escalating Threat

As DroidBot evolves, it poses an escalating threat to financial institutions, government entities, and other high-value targets across multiple regions. The combination of advanced surveillance features, dual-channel communication, a diverse target list, and an active MaaS infrastructure highlights DroidBot’s sophistication and adaptability.

Conclusion

DroidBot is a potent threat to Android users, especially those using banking and cryptocurrency apps. Its sophisticated features and wide target list make it a significant concern for cybersecurity professionals. Users are advised to be cautious when downloading apps and to keep their devices updated with the latest security patches.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it

Share this content:

Tag

Related Posts

Post Comment