Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Sunday, 29 January, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

New MaliBot Android Banking Malware Poses as Cryptocurrency Mining App

The malware is targeting mobile banking users in Spain and Italy.

by Guru Writer
June 17, 2022
in Cyber Bites
Smartphone
Share on FacebookShare on Twitter

A new Android banking malware named MaliBot has been discovered by cybersecurity researchers. The malware poses as a cryptocurrency mining app or the Chrome web browser to target users in Spain and Italy.

MaliBot focuses on stealing financial information, like e-banking credentials, crypto wallet passwords, and sensitive personal details. It is also capable of snatching two-factor authentication codes from notifications.

The malware was discovered by analysts at F5 Labs, who wrote a report with their findings. The report noted that the new malware is currently using multiple distribution channels, likely aiming to cover the gap in the market created by the shutdown of the FluBot operation.

MaliBot’s command and control server is based in Russia. Its IP has been associated with several malware distribution campaigns since June 2020.

The distribution of the malware takes place via websites that promote cryptocurrency applications in the form of APKs that victims download and install manually.

The sites pushing these files are clones of real projects like TheCryptoApp, which already has over a million downloads on the Google Play Store.

In another campaign, the malware is published as an app called Mining X. In this campaign victims are tricked into scanning a QR code to download the malicious APK file.

MailBot operators also use SMS phishing (smishing) messages to distribute their payloads to a list of telephone numbers determined by the C2. These messages are distributed by a compromise device abusing the “send SMS” permission.

The malware is a powerful trojan that secures accessibility and launcher permissions upon installation and then grants itself additional rights on the device.

MaliBot can intercept notifications, calls, SMS, capture screenshots, register boot activities, and give its operators remote control capabilities via a VNC system.

VNC allows the operations to navigate between screens, scroll, take screenshots, copy content, perform long presses, etc.

To evade MFA protections, it abuses the Accessibility API to click on confirmation prompts regarding suspicious login attempts, sends the OTP to the C2, and fills it out automatically.

Additionally, the malware can steal MFA codes from Google Authenticator and perform this action on-demand.

MaliBot retrieves a list of installed apps to determine which banks are used by the victim to fetch the matching overlays/injections from the C2.

The analysts have seen unimplemented features in the code of MaliBot, like the detection of emulated environments that could be used to evade analysis.

This shows that the development is active. New versions of the MaliBot are expected to enter circulation soon.

At present, MaliBot loads overlays that target Italian and Spanish banks. There are fears that it could expand by adding more injections.

FacebookTweetLinkedIn
ShareTweetShare
Previous Post

Several Data-Stealing Apps Remain on Google Play Store According to Cybersecurity Researchers

Next Post

Chinese Hackers Exploited Critical Security Vulnerability in Sophos Firewall

Recent News

Data Privacy Day: Securing your data with a password manager

Data Privacy Day: Securing your data with a password manager

January 27, 2023
#MIWIC2022: Carole Embling, Metro Bank

#MIWIC2022: Carole Embling, Metro Bank

January 26, 2023
Lupovis eliminates false positive security alerts for security analysts and MSSPs

Lupovis eliminates false positive security alerts for security analysts and MSSPs

January 26, 2023
Threat actors launch one malicious attack every minute

Threat actors launch one malicious attack every minute

January 25, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information