• Cyber Syrup
  • Posts
  • New Android Trojan "DroidBot" Targets Banks and Crypto Exchanges

New Android Trojan "DroidBot" Targets Banks and Crypto Exchanges

A newly discovered Android remote access trojan (RAT) called DroidBot is targeting 77 banking institutions, cryptocurrency exchanges, and national organizations

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Hire Ava, the Industry-Leading AI BDR

Ava automates your entire outbound demand generation so you can get leads delivered to your inbox on autopilot. She operates within the Artisan platform, which consolidates every tool you need for outbound:

  • 300M+ High-Quality B2B Prospects

  • Automated Lead Enrichment With 10+ Data Sources Included

  • Full Email Deliverability Management

  • Personalization Waterfall using LinkedIn, Twitter, Web Scraping & More

New Android Trojan "DroidBot" Targets Banks and Crypto Exchanges

A newly discovered Android remote access trojan (RAT) called DroidBot is targeting 77 banking institutions, cryptocurrency exchanges, and national organizations. The malware combines advanced techniques with spyware-like capabilities, posing a significant threat to both individuals and organizations.

"DroidBot is a modern RAT that combines hidden VNC and overlay attack techniques with spyware-like capabilities, such as keylogging and user interface monitoring," said researchers Simone Mattia, Alessandro Strino, and Federico Valentini from Cleafy.

Key Features of DroidBot

  • Dual-Channel Communication: Uses MQTT for transmitting outbound data and HTTPS for receiving inbound commands, enhancing operational flexibility and resilience.

  • Spyware Capabilities: Includes keylogging, user interface monitoring, and the ability to perform overlay attacks.

  • Malware-as-a-Service (MaaS): Offered under a MaaS model for a monthly fee of $3,000, providing affiliates with access to a web panel for customization and operation.

Who Is at Risk?

Organizations and individuals in financial sectors across several European countries are particularly vulnerable. DroidBot campaigns have been observed in:

  • Austria

  • Belgium

  • France

  • Italy

  • Portugal

  • Spain

  • Turkey

  • United Kingdom

The malicious apps are disguised as security applications, Google Chrome, or popular banking apps, tricking users into downloading and installing them.

How DroidBot Works

  1. Initial Infection:

    • Delivered through phishing campaigns or malicious app stores.

    • Disguised as legitimate applications to deceive users.

  2. Abuse of Accessibility Services:

    • DroidBot heavily relies on Android's accessibility services to harvest sensitive data and gain control over infected devices.

  3. Command-and-Control (C2):

    • HTTPS: Used to receive commands from threat actors.

    • MQTT: Employed to transmit stolen data from infected devices.

    • The dual-protocol system categorizes communication into specific "topics" to enhance resilience against detection.

What Makes DroidBot Unique?

While DroidBot's technical features are similar to other malware families, its operational model stands out:

  • Malware-as-a-Service (MaaS):

    • Affiliates pay $3,000 monthly for access to the malware.

    • Includes tools for customizing APK files and issuing commands through a web panel.

    • At least 17 affiliate groups have been identified.

  • Sophisticated Infrastructure:

    • Leverages MQTT, a messaging protocol, for organized data exfiltration.

    • The C2 infrastructure is meticulously designed to evade detection.

Protect Yourself

To safeguard against DroidBot and similar threats:

  1. Be Cautious with App Downloads:

    • Avoid downloading apps from unverified sources or third-party app stores.

    • Verify the legitimacy of applications, especially those requesting accessibility permissions.

  2. Monitor Device Permissions:

    • Regularly review app permissions on your device and revoke unnecessary access.

  3. Install Security Updates:

    • Keep your Android device updated with the latest patches.

    • Use a reputable mobile security solution.

  4. Educate Employees:

    • Organizations should train staff to recognize phishing attempts and avoid downloading untrusted apps.

Conclusion

DroidBot exemplifies the growing sophistication of malware targeting Android devices. While it shares similarities with other malware families, its Malware-as-a-Service model and dual-protocol communication make it a formidable threat. By remaining vigilant and following security best practices, both individuals and organizations can mitigate the risks posed by DroidBot and similar malware.