Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

‘MaliBot’ Android Malware Steals Financial, Personal Information

Researchers at F5 Labs have nabbed a new Android malware family capable of exfiltrating financial and personal information after taking control of infected devices.

Researchers at F5 Labs have nabbed a new Android malware family capable of exfiltrating financial and personal information after taking control of infected devices.

Dubbed MaliBot, the malware poses as a cryptocurrency mining application, but may also pretend to be a Chrome browser or another app. On nfected devices, the threat focuses on harvesting financial information and stealing cryptocurrency and personally identifiable information (PII).

The malware uses a VNC server implementation that allows it to control the infected devices, and was also designed to steal and bypass multi-factor authentication (MFA).

According to F5 Labs, MaliBot’s command and control (C&C) is in Russia, using the same servers that were previously used to distribute the Sality malware. Since June 2020, the IP has been used to launch various other malicious campaigns.

The analysis of MaliBot has revealed a variety of capabilities, including support for web injections and overlay attacks, the ability to run and delete applications, and the ability to steal a great deal of information, including cookies, MFA codes, and SMS messages, and more.

MaliBot is being distributed via fraudulent websites attempting to trick intended victims into downloading the malware instead of the popular cryptocurrency tracker app “TheCryptoApp,” or via smishing.

[ READ: SharkBot Android Malware Continues Popping Up on Google Play ]

For most of its malicious operations, MaliBot abuses the Android Accessibility API, which allows it to perform actions without user interaction and also lets it maintain persistence on the infected devices.

Advertisement. Scroll to continue reading.

The malware can also bypass Google’s 2FA mechanism, by validating Google prompts using the Accessibility API. It also steals the 2FA code and sends it to the attacker, and then inputs the code on the victim device.

When registering an infected device with the C&C server, the malware also sends out the applications list, which is used to identify overlays/injections that can be used on top of applications that the user is launching.

Having permissions to use the Accessibility API, MaliBot can also implement a VNC server to provide attackers with full control over the infected device.

The malware can also send SMS messages on demand (mainly for smishing), can log exceptions, and keeps its background service running by registering itself as a launcher (which also allows it to be notified when an application is launched).

F5 Labs has observed MaliBot in attacks targeting customers of Spanish and Italian banks, but note that the threat could soon start targeting users in other geographies as well.

Related: Tens of Thousands Download “AbstractEmu” Android Rooting Malware

Related: Fake Netflix App Luring Android Users to Malware

Related: Rare Android Stalkerware Can Steal Data, Control Devices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Jessica Newman has joined Sophos as General Manager of Global Cyber Insurance.

Breach and attack simulation solutions provider AttackIQ has appointed Pete Luban as Field Chief Information Security Officer.

Matthew Cowell has assumed the role of VP of Strategic Alliances at Nozomi Networks. He previously served in the same role at Dragos.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.