Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

‘DroidBot’ Android Trojan Targets Banking, Cryptocurrency Applications

The newly discovered DroidBot Android trojan targets 77 banks, cryptocurrency exchanges, and national organizations.

A newly discovered Android remote access trojan (RAT) is targeting 77 banks, cryptocurrency exchanges, and national entities, fraud prevention firm Cleafy warns.

Dubbed DroidBot, and active since mid-2024, the RAT has been used in multiple campaigns in Europe, mainly targeting users in France, Italy, Spain, and Turkey. Attacks were observed in the UK and Portugal as well, and Cleafy found evidence that they could expand to Latin America.

DroidBot features sophisticated capabilities, including hidden VNC, overlay attack techniques, spyware capabilities, such as keylogging and user monitoring, and a dual-channel communication mechanism, for increased flexibility.

The malware is distributed masquerading as security and banking applications and Google services, and relies on Android’s Accessibility Services to perform malicious actions on the infected devices.

Once up and running, it can intercept SMS messages to steal transaction authentication numbers (TANs), capture sensitive information from the screen (including credentials), overlay fake login pages on top of legitimate banking apps, and take periodic screenshots.

The same as most modern banking trojans, DroidBot enables its operators to remotely control the infected devices to execute commands and simulate user interaction.

Unique to this RAT, however, is the use of the dual-channel command-and-control (C&C) communication method, which relies on the MQTT (Message Queuing Telemetry Transport) protocol for outbound packets and on HTTPS for inbound commands.

DroidBot is distributed under the malware-as-a-service (MaaS) business model, with 17 distinct affiliate threat actors identified, some of which appear to be collaborating.

Advertisement. Scroll to continue reading.

In an October post on a Russian-speaking cybercrime forum, the RAT’s developer was promoting it as written from scratch and available as a service package that includes a crypter (to obfuscate the malware) and server access.

The author also noted that the RAT was provided with no restrictions against CIS countries, suggesting that they may not be from the CIS region.

“In the same forum post, the author included details of a Telegram channel for those interested in joining the group as affiliates. This channel provides additional information about DroidBot’s features and the monthly subscription price of $3000,” Cleafy notes.

DroidBot affiliates are provided with access to a web panel to manage their botnets of infected devices and collect credentials, interact with the bots to redirect phone calls, send fake push notifications, exfiltrate data, and remotely access the device for various actions.

The C&C panel also provides access to a builder so that each affiliate can adjust the malware’s configuration to generate distinct builds and evade detection.

DroidBot, Cleafy notes, appears to be under development, with some features not yet properly implemented – although they exist as placeholders – and others changed between samples.

Related: Android Banking Trojan ToxicPanda Targets Europe

Related: German Authorities Seize Spyware Firm FinFisher’s Accounts

Related: EarSpy: Spying on Phone Calls via Ear Speaker Vibrations Captured by Accelerometer

Related: ‘Earth Wendigo’ Hackers Exfiltrate Emails Through JavaScript Backdoor

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

MorganFranklin Cyber has appointed Keith Hollender as CEO and member of the Board of Directors.

Lisa Banks has been named Chief Financial Officer at Abnormal Security.

Threat detection and response company Trellix has appointed Vishal Rao as its new CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.