MaliBot Android Malware

Researchers from F5 Labs have recently detected a newly discovered breed of Android malware, called MaliBot. This malware has been targeting people in Spain and Italy who have access to online banking and cryptocurrency wallets.

A number of distribution channels are currently used by MaliBot, most likely in order to obscure the market gap created by FluBot’s sudden closure. 

The experts have documented that attacks have been launched against several banks, and here they are listed below:- 

  • UniCredit
  • Santander
  • CaixaBank
  • CartaBCC

Moreover, an international law enforcement operation had dismantled FluBot malware two weeks before the malware was discovered.

Data Involved

MaliBot is specifically designed to steal financial information from individuals. Here below we have mentioned the types of data stolen by MaliBot:-

  • E-banking service credentials
  • Crypto wallet passwords
  • Personal details
  • Snatch two-factor authentication codes

In most cases, MaliBot disguises itself as cryptocurrency mining apps like Mining X or The CryptoApp to gain access to a user’s cryptocurrency wallets. With the help of fraudulent websites, the operators of these apps promote these applications to lure potential users to download them.

Features of MaliBot

The central command and control server (C2) used by MailBot is located in Russia. And not only that, even this C2 server is the same server that is used by the threat actors earlier to spread the Sality malware.

Since June of 2020, this IP address has produced a large number of campaigns. The malware is an updated and re-worked version of the SOVA malware that has different functionalities and capabilities.

The capabilities of MaliBot are quite extensive, and we have listed them here in the following list:-

  • Web injection/overlay attacks
  • Theft of cryptocurrency wallets (Binance, Trust)
  • Theft of MFA/2FA codes
  • Theft of cookies
  • Theft of SMS messages
  • The ability to by-pass Google two-step authentication
  • VNC access to the device and screen capturing
  • The ability to run and delete applications on demand
  • The ability to send SMS messages on demand
  • Information gathering from the device
  • Extensive logging of any successful or failed operations, phone activities, and any errors

In addition to controlling infected devices remotely, malicious code can also be used to install a VNC server and remotely connect to infected devices.

While apart from fraudulent websites the threat actors also use the SMS phishing messages (smishing) technique to lure the users into downloading the malware.

It appears that, for the time being, MaliBot is loading overlays that target banking institutions in Italy and Spain. 

The ability to add more injections will be added later as it develops, just like FluBot gradually added new injections as it went along.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.