Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

‘MaliBot’ Android Malware Steals Financial, Personal Information

Researchers at F5 Labs have nabbed a new Android malware family capable of exfiltrating financial and personal information after taking control of infected devices.

Researchers at F5 Labs have nabbed a new Android malware family capable of exfiltrating financial and personal information after taking control of infected devices.

Dubbed MaliBot, the malware poses as a cryptocurrency mining application, but may also pretend to be a Chrome browser or another app. On nfected devices, the threat focuses on harvesting financial information and stealing cryptocurrency and personally identifiable information (PII).

The malware uses a VNC server implementation that allows it to control the infected devices, and was also designed to steal and bypass multi-factor authentication (MFA).

According to F5 Labs, MaliBot’s command and control (C&C) is in Russia, using the same servers that were previously used to distribute the Sality malware. Since June 2020, the IP has been used to launch various other malicious campaigns.

The analysis of MaliBot has revealed a variety of capabilities, including support for web injections and overlay attacks, the ability to run and delete applications, and the ability to steal a great deal of information, including cookies, MFA codes, and SMS messages, and more.

MaliBot is being distributed via fraudulent websites attempting to trick intended victims into downloading the malware instead of the popular cryptocurrency tracker app “TheCryptoApp,” or via smishing.

[ READ: SharkBot Android Malware Continues Popping Up on Google Play ]

For most of its malicious operations, MaliBot abuses the Android Accessibility API, which allows it to perform actions without user interaction and also lets it maintain persistence on the infected devices.

The malware can also bypass Google’s 2FA mechanism, by validating Google prompts using the Accessibility API. It also steals the 2FA code and sends it to the attacker, and then inputs the code on the victim device.

When registering an infected device with the C&C server, the malware also sends out the applications list, which is used to identify overlays/injections that can be used on top of applications that the user is launching.

Having permissions to use the Accessibility API, MaliBot can also implement a VNC server to provide attackers with full control over the infected device.

The malware can also send SMS messages on demand (mainly for smishing), can log exceptions, and keeps its background service running by registering itself as a launcher (which also allows it to be notified when an application is launched).

F5 Labs has observed MaliBot in attacks targeting customers of Spanish and Italian banks, but note that the threat could soon start targeting users in other geographies as well.

Related: Tens of Thousands Download “AbstractEmu” Android Rooting Malware

Related: Fake Netflix App Luring Android Users to Malware

Related: Rare Android Stalkerware Can Steal Data, Control Devices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.