A newly discovered Android remote access trojan (RAT) is targeting 77 banks, cryptocurrency exchanges, and national entities, fraud prevention firm Cleafy warns.
Dubbed DroidBot, and active since mid-2024, the RAT has been used in multiple campaigns in Europe, mainly targeting users in France, Italy, Spain, and Turkey. Attacks were observed in the UK and Portugal as well, and Cleafy found evidence that they could expand to Latin America.
DroidBot features sophisticated capabilities, including hidden VNC, overlay attack techniques, spyware capabilities, such as keylogging and user monitoring, and a dual-channel communication mechanism, for increased flexibility.
The malware is distributed masquerading as security and banking applications and Google services, and relies on Android’s Accessibility Services to perform malicious actions on the infected devices.
Once up and running, it can intercept SMS messages to steal transaction authentication numbers (TANs), capture sensitive information from the screen (including credentials), overlay fake login pages on top of legitimate banking apps, and take periodic screenshots.
The same as most modern banking trojans, DroidBot enables its operators to remotely control the infected devices to execute commands and simulate user interaction.
Unique to this RAT, however, is the use of the dual-channel command-and-control (C&C) communication method, which relies on the MQTT (Message Queuing Telemetry Transport) protocol for outbound packets and on HTTPS for inbound commands.
DroidBot is distributed under the malware-as-a-service (MaaS) business model, with 17 distinct affiliate threat actors identified, some of which appear to be collaborating.
In an October post on a Russian-speaking cybercrime forum, the RAT’s developer was promoting it as written from scratch and available as a service package that includes a crypter (to obfuscate the malware) and server access.
The author also noted that the RAT was provided with no restrictions against CIS countries, suggesting that they may not be from the CIS region.
“In the same forum post, the author included details of a Telegram channel for those interested in joining the group as affiliates. This channel provides additional information about DroidBot’s features and the monthly subscription price of $3000,” Cleafy notes.
DroidBot affiliates are provided with access to a web panel to manage their botnets of infected devices and collect credentials, interact with the bots to redirect phone calls, send fake push notifications, exfiltrate data, and remotely access the device for various actions.
The C&C panel also provides access to a builder so that each affiliate can adjust the malware’s configuration to generate distinct builds and evade detection.
DroidBot, Cleafy notes, appears to be under development, with some features not yet properly implemented – although they exist as placeholders – and others changed between samples.
Related: Android Banking Trojan ToxicPanda Targets Europe
Related: German Authorities Seize Spyware Firm FinFisher’s Accounts
Related: EarSpy: Spying on Phone Calls via Ear Speaker Vibrations Captured by Accelerometer
Related: ‘Earth Wendigo’ Hackers Exfiltrate Emails Through JavaScript Backdoor
