Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

MaliBot: A New Android Banking Trojan Spotted in the Wild

A new strain of Android malware has been spotted in the wild targeting online banking and cryptocurrency wallet customers in Spain and Italy, just weeks after a coordinated law enforcement operation dismantled FluBot.

The information stealing trojan, codenamed MaliBot by F5 Labs, is as feature-rich as its counterparts, allowing it to steal credentials and cookies, bypass multi-factor authentication (MFA) codes, and abuse Android’s Accessibility Service to monitor the victim’s device screen.

MaliBot is known to primarily disguise itself as cryptocurrency mining apps such as Mining X or The CryptoApp that are distributed via fraudulent websites designed to attract potential visitors into downloading them.

It also takes another leaf out of the mobile banking trojan playbook in that it employs smishing as a distribution vector to proliferate the malware by accessing an infected smartphone’s contacts and sending SMS messages containing links to the malware.

“MaliBot’s command-and-control (C2) is in Russia and appears to use the same servers that were used to distribute the Sality malware,” F5 Labs researcher Dor Nizar said. “It is a heavily modified re-working of the SOVA malware, with different functionality, targets, C2 servers, domains, and packing schemes.”

SOVA (meaning “Owl” in Russian), which was first detected in August 2021, is notable for its ability to conduct overlay attacks, which work by displaying a fraudulent page using WebView with a link provided by the C2 server should a victim open a banking app included in its active target list.

Some of the banks targeted by MaliBot using this approach include UniCredit, Santander, CaixaBank, and CartaBCC. The Mining X campaign is believed to have commenced on April 11, with the MaliBot malware first discovered a week later around April 18, Nizar told The Hacker News in a statement.

Accessibility Service is a background service running in Android devices to assist users with disabilities. It has long been leveraged by spyware and trojans to capture the device contents and intercept credentials entered by unsuspecting users on other apps.

Besides being able to siphon passwords and cookies of the victim’s Google account, the malware is designed to swipe 2FA codes from the Google Authenticator app as well as exfiltrate sensitive information such as total balances and seed phrases from Binance and Trust Wallet apps.

What’s more, Malibot is capable of weaponizing its access to the Accessibility API to defeat Google’s two-factor authentication (2FA) methods, such as Google prompts, even in scenarios where an attempt is made to sign in to the accounts using the stolen credentials from a previously unknown device.

“The versatility of the malware and the control it gives attackers over the device mean that it could, in principle, be used for a wider range of attacks than stealing credentials and cryptocurrency,” the researchers said.

“In fact, any application which makes use of WebView is liable to having the users’ credentials and cookies stolen.”

“MaliBot is a clear example of how diverse the mobile banking trojan threat is to banks and their customers,” Richard Melick, director of threat reporting at Zimperium, said, adding “malicious actors are constantly evolving their tactics to reach their targets.”

“Mobile banking apps are proven, high-value targets with little security in place to prevent theft. Financial institutions need to implement better security controls and active threat detections to stay ahead of fast-evolving threats like these.”

Found this article interesting? Follow THN on Facebook, Twitter ď‚™ and LinkedIn to read more exclusive content we post.

Related News

Bundestag Bungle: Political Microtargeting of Facebook Users Draws Ire

Bundestag Bungle: Political Microtargeting of Facebook Users Draws Ire

German politicians and political parties have been using data about Facebook users’ political preferences to deliver microtargeted advertisements, a watchdog…
Epidemic of Insecure Storage, Backup Devices Is a Windfall for Cybercriminals

Epidemic of Insecure Storage, Backup Devices Is a Windfall for Cybercriminals

Companies in every industry continue to leave backup and storage platforms unsecured, with more than a dozen issues, including insecure network…
The Board of Directors Will See You Now

The Board of Directors Will See You Now

For more than 15 years, the cybersecurity industry has been talking about communicating with the board of directors. It’s common…