Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Application Security

‘MaliBot’ Android Malware Steals Financial, Personal Information

Researchers at F5 Labs have nabbed a new Android malware family capable of exfiltrating financial and personal information after taking control of infected devices.

Researchers at F5 Labs have nabbed a new Android malware family capable of exfiltrating financial and personal information after taking control of infected devices.

Dubbed MaliBot, the malware poses as a cryptocurrency mining application, but may also pretend to be a Chrome browser or another app. On nfected devices, the threat focuses on harvesting financial information and stealing cryptocurrency and personally identifiable information (PII).

The malware uses a VNC server implementation that allows it to control the infected devices, and was also designed to steal and bypass multi-factor authentication (MFA).

According to F5 Labs, MaliBot’s command and control (C&C) is in Russia, using the same servers that were previously used to distribute the Sality malware. Since June 2020, the IP has been used to launch various other malicious campaigns.

The analysis of MaliBot has revealed a variety of capabilities, including support for web injections and overlay attacks, the ability to run and delete applications, and the ability to steal a great deal of information, including cookies, MFA codes, and SMS messages, and more.

MaliBot is being distributed via fraudulent websites attempting to trick intended victims into downloading the malware instead of the popular cryptocurrency tracker app “TheCryptoApp,” or via smishing.

[ READ: SharkBot Android Malware Continues Popping Up on Google Play ]

Advertisement. Scroll to continue reading.

For most of its malicious operations, MaliBot abuses the Android Accessibility API, which allows it to perform actions without user interaction and also lets it maintain persistence on the infected devices.

The malware can also bypass Google’s 2FA mechanism, by validating Google prompts using the Accessibility API. It also steals the 2FA code and sends it to the attacker, and then inputs the code on the victim device.

When registering an infected device with the C&C server, the malware also sends out the applications list, which is used to identify overlays/injections that can be used on top of applications that the user is launching.

Having permissions to use the Accessibility API, MaliBot can also implement a VNC server to provide attackers with full control over the infected device.

The malware can also send SMS messages on demand (mainly for smishing), can log exceptions, and keeps its background service running by registering itself as a launcher (which also allows it to be notified when an application is launched).

F5 Labs has observed MaliBot in attacks targeting customers of Spanish and Italian banks, but note that the threat could soon start targeting users in other geographies as well.

Related: Tens of Thousands Download “AbstractEmu” Android Rooting Malware

Related: Fake Netflix App Luring Android Users to Malware

Related: Rare Android Stalkerware Can Steal Data, Control Devices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...