New Android Trojan Targets Financial Institutions, CustomersMaliBot Steals Credentials, Cryptocurrency from Italian, Spanish Victims
A new strain of Android malware is targeting online banking customers and financial institutions, cybersecurity researchers at F5 Labs say.
Dubbed MaliBot, the banking Trojan steals financial information, credentials, crypto wallets, personal data and cookies; bypasses multi-factor authentication codes; and remotely controls infected devices.
The malware disguises itself as a cryptocurrency mining app and so far has mainly targeted victims in Spain and Italy, a geographic range that’s likely to grow.
It likewise can be used for a wider range of attacks than just stealing credentials and cryptocurrency, says F5 Labs researcher Dor Nizar. "In fact, any application which makes use of WebView is liable to having the users' credentials and cookies stolen."
WebView allows Android users to view web search results inside unrelated active applications.
F5 Labs say it discovered MaliBot during a separate investigation into a different malware strain, FluBot.
MaliBot's command-and-control server, which appears to be located in Russia, is also used to distribute the Sality malware, the researchers say. Several campaigns have originated from this internet protocol since June of 2020, they add.
"It is a heavily modified re-working of the SOVA malware, with different functionality, and targets C2 servers, domains and packing schemes," the researchers say.
SOVA is the Russian word for "owl" - a designation apparently chosen by the malware's creator, shows earlier research by Threat Fabric.
MaliBot focuses on web injection/overlay attacks and:
- Stealing cryptocurrency wallets;
- Stealing MFA/2FA codes;
- Stealing cookies;
- Stealing SMS messages;
- Bypassing Google two-step authentication;
- Obtaining VNC access to the device and capturing the screen;
- Running and deleting applications on demand;
- Sending SMS messages on demand.
The Trojan can also gather information from the device, including its IP, AndroidID, model, language, installed application list, screen and locked states. It can report the success of an operation on the victim's device, or the lack of it.
Given the Trojan's propensity for disguising itself as a cryptocurrency mining app, infection campaigns have been going by names such as Mining X or The CryptoApp. The latter is a legitimate cryptocurrency tracker app with more than 1 million downloads from the Google Play Store.
To get the malware version, victims must download the fake version of TheCryptoApp from a malicious website accessed from an Android device. Otherwise, the download link will refer to the real TheCryptoApp app in the play store.
Users have also been tricked into downloading MaliBot through fraudulent websites or via smishing, the term for phishing via mobile phone SMS messages.
Smishing is a common technique among mobile banker Trojans "because it allows the malware to spread in a fast and controllable way ... MaliBot can send SMS messages on-demand, and once it receives a 'sendsms' command containing a text to send and a phone list from the C2 server, MaliBot sends the SMS to each phone number," the researchers say.
The researchers' observation of the Trojan's C2 IP used in other malware campaigns since June 2020 indicates that the MaliBot operators may be related to other campaigns as well.
How Does It Work?
MaliBot uses a "packer" that can encrypt, compress or change the format of a malware file to make it appear nonsuspicious, making reverse engineering and analysis all the more difficult.
"Using a Tencent packer, MaliBot unpacks itself by decrypting an encrypted Dex file from the assets and loading it in runtime using MultiDex. Once loaded, MaliBot contacts the C2 server to register the infected device, then asks the victim to grant accessibility and launcher permissions," the researchers say.
Once it gains permission, MaliBot registers four services that perform most of the malicious operations: background service, notify service, accessibility service and screen capture service.
The operators behind the Trojan also abuse Android's Accessibility API, a tool developed for building apps accessible for users with additional needs. This allows mobile apps to perform actions on behalf of the user, including the ability to read text from the screen, press buttons and listen for other accessibility events, the researchers say. Attacker can use this feature to steal sensitive information and manipulate the device to their advantage.
"Flubot, Sharkbot and Teabot are just a few examples of banking Trojans other than MaliBot that abuse the accessibility API. This service also allows mobile malware to maintain persistence. The malware can protect itself against uninstallation and permissions removal by looking for specific text or labels on the screen and pressing the back button to prevent them," they say.
Operators of MaliBot also capture credentials by abusing the MFA process. When Google notices a user login from an unrecognized device, it sends them a prompt, asking them to grant or deny the login attempt, or asks them to match a number on the unrecognized device with one shown on a recognized device. With MaliBot's screen recording feature, the operators appear to capture these credentials.
"Once they have used MaliBot to capture credentials, the attackers can authenticate to Google accounts on the C2 server using those credentials, and use MaliBot to extract the MFA codes," they say.
MaliBot also abuses the Accessibility API to give the Trojan operators full remote control of the infected device, the researchers say.
"The Accessibility API of Android allows MaliBot to perform inputs as though it was the victim. It abuses this functionality to implement something akin to a [Virtual Network Computing] server which allows remote control of the victim’s device. The attacker is able to obtain screen captures from the victim and send input commands to the malware to perform actions," they say.
"This effectively creates an Accessibility API-based remote access Trojan (RAT) that allows the attacker to conveniently access the device remotely," they add.
MaliBot is a "clear example" of the diversity of mobile banking Trojan threats, says Richard Melick, director of threat reporting for mobile security provider Zimperium.
"Even with the recent shutdown of the TeaBot and FluBot malware campaigns, malicious actors are constantly evolving their tactics to reach their targets. Mobile banking apps are proven, high-valued targets with little security in place to prevent theft. Financial institutions need to implement better security controls and active threat detections to stay ahead of fast-evolving threats like these," Melick says.