MaliBot Android Malware is also capable of bypassing 2FA (Two-factor authentication).
F5 Labs researchers have discovered a new Android malware family that can exfiltrate personal and financial data after compromising devices. According to researchers, the malware can not only bypass multi-factor authentication processes, but can also steal banking data, passwords, and cryptocurrency wallets.
It is worth noting that the malware is distributed through fraudulent websites and tricks victims into downloading it, thinking it is a popular cryptocurrency tracking app. It is also distributed through smishing.
Furthermore, researchers have identified two malicious sites distributing MaliBot. One of them is a fake version of TheCryptoApp that boasts over a million downloads on the Google Play Store.
Details of MaliBot
F5 Labs has dubbed the Android malware MaliBot. This powerful malware disguised as a cryptocurrency mining application may pretend to be another app or a Chrome browser. It asks the user for accessibility and launcher permissions when downloaded to monitor the device and carry out its malicious operations.
MaliBot uses a Virtual Network Computing (VNC) server implementation to gain control of the infected devices. Once it infects a device, it starts exfiltrating financial data and steals PII (personally identifiable information) and cryptocurrency wallet information.
Research revealed that the malware’s C2 server is based in Russia and the servers are the same that were previously used for distributing the Sality malware. From June 2020, the IP was used to launch different malware campaigns.
MaliBot has diverse capabilities, such as it supports web injections and can be used in overlay attacks. It can run and delete applications and steal sensitive data such as MFA codes, cookies, SMS messages, etc.
It can remotely steal passwords and access text messages, crypto wallet information, web browser cookies, bank details, and capture screenshots from compromised devices. It can also bypass MFA protection.
It mainly abuses the Android Accessibility API that lets it perform specific actions without asking for user permission or interaction and maintain persistence on the infected device. It also bypasses 2FA processes by validating Google prompts via the Accessibility API and steals 2FA codes, which are later transferred to the attacker.
When distributed via SMS messages, the malware can log exceptions and registers itself as a launcher. Bypassing protections around crypto wallets lets the attackers steal bitcoins and other cryptocurrencies from the victim’s wallet linked to the infected device.
Lastly, like FluBot, MaliBot can send SMS messages to other users to spread the infection chain. Currently, this campaign is targeting Spanish and Italian bank customers, but the scope of infection may soon broaden, F5 Labs researcher Dor Nizar noted.