A brand new pressure of Android malware has been noticed within the wild concentrating on on-line banking and cryptocurrency pockets prospects in Spain and Italy, simply weeks after a coordinated legislation enforcement operation dismantled FluBot.
The data stealing trojan, codenamed MaliBot by F5 Labs, is as feature-rich as its counterparts, permitting it to steal credentials and cookies, bypass multi-factor authentication (MFA) codes, and abuse Android’s Accessibility Service to observe the sufferer’s gadget display screen.
MaliBot is thought to primarily disguise itself as cryptocurrency mining apps corresponding to Mining X or The CryptoApp which might be distributed by way of fraudulent web sites designed to draw potential guests into downloading them.
It additionally takes one other leaf out of the cell banking trojan playbook in that it employs smishing as a distribution vector to proliferate the malware by accessing an contaminated smartphone’s contacts and sending SMS messages containing hyperlinks to the malware.
“MaliBot’s command-and-control (C2) is in Russia and seems to make use of the identical servers that have been used to distribute the Sality malware,” F5 Labs researcher Dor Nizar stated. “It’s a closely modified re-working of the SOVA malware, with completely different performance, targets, C2 servers, domains, and packing schemes.”
SOVA (that means “Owl” in Russian), which was first detected in August 2021, is notable for its capability to conduct overlay assaults, which work by displaying a fraudulent web page utilizing WebView with a hyperlink offered by the C2 server ought to a sufferer open a banking app included in its energetic goal record.
Among the banks focused by MaliBot utilizing this method embody UniCredit, Santander, CaixaBank, and CartaBCC.
Accessibility Service is a background service operating in Android units to help customers with disabilities. It has lengthy been leveraged by adware and trojans to seize the gadget contents and intercept credentials entered by unsuspecting customers on different apps.
Apart from having the ability to siphon passwords and cookies of the sufferer’s Google account, the malware is designed to swipe 2FA codes from the Google Authenticator app in addition to exfiltrate delicate info corresponding to whole balances and seed phrases from Binance and Belief Pockets apps.
What’s extra, Malibot is able to weaponizing its entry to the Accessibility API to defeat Google’s two-factor authentication (2FA) strategies, corresponding to Google prompts, even in situations the place an try is made to check in to the accounts utilizing the stolen credentials from a beforehand unknown gadget.
“The flexibility of the malware and the management it offers attackers over the gadget imply that it may, in precept, be used for a wider vary of assaults than stealing credentials and cryptocurrency,” the researchers stated.
“Actually, any software which makes use of WebView is liable to having the customers’ credentials and cookies stolen.”
