A new Android banking malware named MaliBot has been discovered by cybersecurity researchers. The malware poses as a cryptocurrency mining app or the Chrome web browser to target users in Spain and Italy.
MaliBot focuses on stealing financial information, like e-banking credentials, crypto wallet passwords, and sensitive personal details. It is also capable of snatching two-factor authentication codes from notifications.
The malware was discovered by analysts at F5 Labs, who wrote a report with their findings. The report noted that the new malware is currently using multiple distribution channels, likely aiming to cover the gap in the market created by the shutdown of the FluBot operation.
MaliBot’s command and control server is based in Russia. Its IP has been associated with several malware distribution campaigns since June 2020.
The distribution of the malware takes place via websites that promote cryptocurrency applications in the form of APKs that victims download and install manually.
The sites pushing these files are clones of real projects like TheCryptoApp, which already has over a million downloads on the Google Play Store.
In another campaign, the malware is published as an app called Mining X. In this campaign victims are tricked into scanning a QR code to download the malicious APK file.
MailBot operators also use SMS phishing (smishing) messages to distribute their payloads to a list of telephone numbers determined by the C2. These messages are distributed by a compromise device abusing the “send SMS” permission.
The malware is a powerful trojan that secures accessibility and launcher permissions upon installation and then grants itself additional rights on the device.
MaliBot can intercept notifications, calls, SMS, capture screenshots, register boot activities, and give its operators remote control capabilities via a VNC system.
VNC allows the operations to navigate between screens, scroll, take screenshots, copy content, perform long presses, etc.
To evade MFA protections, it abuses the Accessibility API to click on confirmation prompts regarding suspicious login attempts, sends the OTP to the C2, and fills it out automatically.
Additionally, the malware can steal MFA codes from Google Authenticator and perform this action on-demand.
MaliBot retrieves a list of installed apps to determine which banks are used by the victim to fetch the matching overlays/injections from the C2.
The analysts have seen unimplemented features in the code of MaliBot, like the detection of emulated environments that could be used to evade analysis.
This shows that the development is active. New versions of the MaliBot are expected to enter circulation soon.
At present, MaliBot loads overlays that target Italian and Spanish banks. There are fears that it could expand by adding more injections.