Italy and Spain were targeted by a new cyberattack campaign that utilises a new Android banking malware dubbed MaliBot. The new malware variant has been observed imitating cryptocurrency mining apps and the Chrome internet browser to target its victims.
The studies conducted on the MaliBot banking malware show how the new variant could steal the financial data of its victims, including online banking service credentials, cryptocurrency wallet passwords, and MFA codes from a device’s notification.
MaliBot was also found using numerous distribution channels to spread itself, which experts assume to be a cover for the market gap resulting from the FluBot operation’s shutdown. As its C2 server headquarters in Russia, analysts have found its IP address linked with previous malware campaigns since June 2020.
The MaliBot malware is spread via websites promoting crypto apps in the form of APK files that victims manually download and install on their Android devices.
Its threat operators imitate legitimate cryptocurrency brands to trick their victims into thinking that the website is not malware-infested when it is. One of the campaigns employed for MaliBot was the propagation of an app called ‘Mining X’ in which victims are instructed to scan a QR code to download the malware-laden APK file.
Moreover, the threat operators have also launched SMS phishing (smishing) attacks against victims to spread the malware to people’s phone numbers listed from their C2 servers. The malicious text messages are sent from infected devices that had abused the ‘send SMS’ permission on an Android device.
Experts consider the Malibot malware a powerful Android banking trojan since it could secure access to the targeted device and launch and grant user permissions once installed. It could also tap notifications, text messages, and calls, capture screenshots and provide remote control capabilities to its operators through a Virtual Network Computing (VNC) system.
In sidestepping multi-factor authentications, the malware would abuse the Accessibility API and click on confirmation prompts on incoming notifications that alert the victim about suspicious login attempts. Then, it would forward the one-time password (OTP) to their C2 server to exploit it in their malicious activities.
MaliBot also retrieves a list of the apps installed on the victims’ devices to know which digital banking applications are used. It will then fetch the matching overlays from its C2 to put it on top of the device’s interface, which tricks the victim into thinking that nothing malicious is currently taking place on their Android device.
A recent analysis of the new malware indicates that it is being actively propagated, and new and improved versions of it are expected soon.
