DroidBot, a new Android banking malware, is allegedly trying to steal credentials in nearly 80 cryptocurrency exchanges and banking apps available in multiple European countries.
The primary targets of this newly discovered Android malware are apps widely used in European countries, such as the UK, Italy, France, Spain, and Portugal. Moreover, the researchers who discovered the virus have been active since June 2024 and operate a malware-as-a-service (MaaS) platform, charging various malicious entities $3,000 monthly.
As of now, at least 17 suspected affiliate groups have been detected renting the malware builders to tailor their payloads and use them for targeted campaigns.
The researchers revealed that DroidBot offers nothing new; it has the same features as other malware strains. Still, this botnet has appeared in 776 distinct infection campaigns across the United Kingdom, Italy, France, Turkey, and Germany, indicating widespread activity.
In addition, the malware shows signs of a developing payload and also poses indicators of expansion, as it may target Latin American countries.
The DroidBot malware developers may have originated from Turkey.
The developers of the DroidBot malware are Turkish nationals. These malware authors provided affiliates with all the tools needed to perform a cyberattack.
Investigations also discovered that the MaaS contains the malware constructor, C2 servers, and a central administrative panel from which they can manage their activities, retrieve stolen data, and execute prompts.
Multiple affiliates use the same C2 infrastructure, with unique identifiers allocated to each group, allowing researchers to detect 17 distinct threat activities. The payload builder enables affiliates to tailor DroidBot to specific applications, use other languages, and specify additional command-and-control server addresses.
Furthermore, affiliates also get access to thorough documentation, help from the malware’s designers, and a Telegram channel where the developers post new updates about the virus’ capabilities.
Overall, the DroidBot MaaS operation lowers the standard for executing cyberattacks as it can allow incompetent or wannabe hackers to manage their campaigns. The primary features of Android malware now include keylogging, overlaying, SMS interception, and virtual network computing.
Android users should always remember to download applications from reliable and legitimate sources, such as Google Play. Lastly, review an app’s permission request during installation to avoid unnecessary privilege provisions and mitigate the effects of malicious activities.