MaliBot’s C2 IP has been used in other malware smishing campaigns since June 2020, which raises questions about how the authors of this malware are related to other campaigns (see Campaign Screenshots).
#ANDROID TROJAN HIDDENAPP APK#
1įor stealth and targeting purposes, the download link will direct the user to the malware APK only if the victim visits the website from an Android device, otherwise, the download link will refer to the real TheCryptoApp app in the play store (see Figure 1 and Figure 2 ). TheCryptoApp campaign attempts to trick people into downloading their malware instead of the legitimate TheCryptoApp – a cryptocurrency tracker app with more than 1 million downloads in the Google Play Store. The malware authors have so far created two campaigns– “Mining X” and “TheCryptoApp” – each of which has a website with a download link to the malware (see Campaign Screenshots in the Appendix). Extensive logging of any successful or failed operations, phone activities (calls, SMS) and any errorsĭistribution of MaliBot is performed by attracting victims to fraudulent websites where they are tricked into downloading the malware, or by directly sending SMS phishing messages (smishing) to mobile phone numbers.Information gathering from the device, including its IP, AndroidID, model, language, installed application list, screen and locked states, and reporting on the malware’s own capabilities.The ability to send SMS messages on demand.The ability to run and delete applications on demand.VNC access to the device and screen capturing.The ability to by-pass Google two-step authentication.Theft of cryptocurrency wallets (Binance, Trust).MaliBot has an extensive array of features: It is a heavily modified re-working of the SOVA malware, with different functionality, targets, C2 servers, domains and packing schemes. Many campaigns have originated from this IP since June of 2020 (see Indicators of Compromise). MaliBot’s command and control (C2) is in Russia and appears to use the same servers that were used to distribute the Sality malware. This article is a deep dive into the tactics and techniques this malware strain employs to steal personal data and evade detection. It includes the ability to remotely control infected devices using a VNC server implementation.
Malibot is capable of stealing and bypassing multi-factor (2FA/MFA) codes.MaliBot is focused on stealing financial information, credentials, crypto wallets, and personal data (PII), and also targets financial institutions in Italy and Spain.
While its main targets are online banking customers in Spain and Italy, its ability to steal credentials, cookies, and bypass multi-factor authentication (MFA) codes, means that Android users all over the world must be vigilant. While tracking the mobile banking trojan FluBot, F5 Labs recently discovered a new strain of Android malware which we have dubbed “MaliBot”.
0 kommentar(er)
