New MaliBot Android banking malware spreads as a crypto miner


Cybersecurity researchers have discovered a new Android banking malware named MaliBot, which poses as a cryptocurrency mining app or the Chrome web browser to target users in Italy and Spain.

MaliBot focuses on stealing financial information such as online banking credentials, crypto wallet passwords, and personal details, while also capable of mining two-way passcodes notification factors.

According to a report by F5 Laboratorieswhose analysts discovered the new malware, is currently using multiple distribution channels, likely aiming to fill the market void created by the sudden shutdown of Operation FluBot.

Fake crypto apps

Malibot’s command and control server is based in Russia and its IP address has been associated with several malware distribution campaigns dating back to June 2020.

MaliBot is distributed through websites that promote cryptocurrency apps in the form of APKs that victims download and install manually.

The sites that push these files are clones of real projects like TheCryptoApp, which has over a million downloads on the Google Play Store.

In another campaign, the malware is pushed in the form of an app called Mining X, and victims are tricked into scanning a QR code to download the malicious APK file.

The Mining X site that drives MaliBot
The Mining X site that drives MaliBot

MaliBot operators also use smishing messages to distribute their payloads to a list of phone numbers determined by the C2. These messages are sent from compromised devices abusing the “send SMS” permission.

MaliBot Abilities

MaliBot is a powerful Android Trojan that secures accessibility and launch permissions upon installation and then grants itself additional rights on the device.

It can intercept notifications, text messages and calls, capture screenshots, record boot activities and give its operators remote control capabilities via a VNC system.

VNC allows operators to navigate between screens, scroll, take screenshots, copy and paste content, swipe, long press, and more.

To circumvent MFA protections, it abuses the Accessibility API to click confirmation prompts on incoming alerts about suspicious login attempts, sends the OTP to C2, and automatically populates it.

Code to retrieve MFA codes
Code to retrieve MFA codes (F5 Laboratories)

Additionally, the malware can steal MFA codes from Google Authenticator and perform this action on demand, opening the authenticator app independently of the user.

Like most banking Trojans, MaliBot retrieves a list of installed applications to determine which banking applications are used by the victim to retrieve the corresponding C2 overlays/injections. When the victim opens the legitimate application, the fake login screen is overlaid on the user interface.

Sending list of overlays to C2 and receiving injections back
Sending list of overlays to C2 and receiving injections back (F5 Laboratories)

What we should expect

F5 Labs analysts saw unimplemented features in MaliBot’s code, such as detection of emulated environments that could be used to evade scanning.

This is a sign that the development is very active, and new versions of MaliBot should soon enter circulation, perhaps increasing the power of the new malware.

For now, MaliBot is charging overlays that target Italian and Spanish banks, but it may soon expand its scope by adding more injections, just like FluBot has been doing gradually.

Spanish banking overlay used by MaliBot
Spanish banking overlay used by MaliBot (F5 Laboratories)

As of this writing, websites distributing MaliBot remain online, so the malware distribution operation is still pretty much active.


Comments are closed.