Financial institutions

New Android Trojan targets financial institutions and customers

Blockchain and cryptocurrency, Cryptocurrency fraud, Cybercrime

MaliBot steals credentials and cryptocurrency from Italian and Spanish victims

Prajeet Nair (@prajeetspeaks) •
June 18, 2022

New strain of Android malware targets online banking customers and financial institutions, cybersecurity researchers from F5 Labs says.

See also: On demand | Zero tolerance: control the landscape where you will meet your opponents

Dubbed MaliBot, the banking trojan steals financial information, credentials, crypto wallets, personal data and cookies; bypasses multi-factor authentication codes; and remotely controls infected devices.

The malware disguises itself as a cryptocurrency mining app and has so far primarily targeted victims in Spain and Italy, a geographic area that is likely to expand.

It can also be used for a wider range of attacks than just stealing credentials and cryptocurrency, says F5 Labs researcher Dor Nizar. “In fact, any app that uses WebView is susceptible to user credentials and cookies being stolen.”

WebView allows Android users to view web search results in unrelated active apps.

F5 Labs claims to have discovered MaliBot during a separate investigation of another malware strain, FluBot.

Campaign Details

MaliBot’s command-and-control server, which appears to be located in Russia, is also used to distribute the Sality malware, according to the researchers. Several campaigns have come from this Internet protocol since June 2020, they add.

“It is a heavily modified redesign of the SOVA malware, with different functionality, and targets servers, domains, and C2 packaging schemes,” the researchers explain.

SOVA is the Russian word for “owl” – a designation apparently chosen by the creator of the malware, shows previous research by Threat Fabric.

MaliBot focuses on web injection/overlay attacks and:

  • Steal cryptocurrency wallets;
  • Steal MFA/2FA codes;
  • Steal cookies;
  • Steal text messages;
  • Bypassing Google’s two-step authentication;
  • Obtain VNC access to the device and capture the screen;
  • Running and deleting applications on demand;
  • Sending SMS on demand.

The Trojan can also collect information about the device including its IP address, Android ID, model, language, list of installed apps, screen and locked states. It can signal the success of an operation on the victim’s device, or its absence.

Distribution of malware

Given the Trojan’s propensity to disguise itself as a cryptocurrency mining application, infection campaigns go by names such as Mining X or The CryptoApp. The latter is a legit cryptocurrency tracking app with over a million downloads from the Google Play Store.

To get the malware version victims have to download the fake version of TheCryptoApp from a malicious website that can be accessed from Android device. Otherwise, the download link will refer to the real TheCryptoApp in the Play Store.

Users have also been tricked into downloading MaliBot through scam websites or through smishing, the term for phishing via mobile phone SMS messages.

Smishing is a common technique among mobile banker Trojans “because it allows malware to spread in a rapid and controllable way…MaliBot can send text messages on demand, and once it receives a command’ sendsms’ containing a text to send and a phone list from the C2 server, MaliBot sends the SMS to each phone number,” the researchers explain.

Researchers’ observation of the Trojan IP C2 being used in other malware campaigns since June 2020 indicates that MaliBot operators may also be linked to other campaigns.

How it works?

MaliBot uses a “packer” that can encrypt, compress or change the format of a malicious file to make it unsuspicious, making reverse engineering and analysis all the more difficult.

“Using a Tencent packer, MaliBot decompresses by decrypting an encrypted Dex file from the assets and loading it when running using MultiDex. Once loaded, MaliBot contacts the C2 server to save the infected device and then asks the victim to grant accessibility and launch permissions,” the researchers say.

Once granted permission, MaliBot registers four services that perform most of the malicious operations: background service, notification service, accessibility service, and screenshot service.

The operators behind the Trojan also abuse Android’s Accessibility API, a tool developed to make apps accessible to users with additional needs. This allows mobile apps to perform actions on behalf of the user, including the ability to read text on the screen, press buttons, and listen for other accessibility events, depending on the researchers. The attacker can use this feature to steal sensitive information and manipulate the device to their advantage.

“Flubot, Sharkbot, and Teabot are just a few examples of banking Trojans other than MaliBot that abuse the Accessibility API. This service also allows mobile malware to maintain its persistence. The malware can protect itself against uninstalling and removing permissions by searching for specific text or labels on the screen and pressing the back button to prevent them,” they say.

MaliBot operators also capture credentials by abusing the MFA process. When Google notices that a user is signing in from an unrecognized device, it sends them a prompt asking them to allow or deny the sign-in attempt, or asks them to match a number on the unrecognized device with that displayed on a recognized device. With MaliBot’s screen recording feature, operators seem to capture those credentials.

“Once they use MaliBot to capture credentials, attackers can authenticate to Google accounts on the C2 server using those credentials and use MaliBot to extract MFA codes” , they explain.

MaliBot also abuses the Accessibility API to give Trojan operators full remote control of the infected device, researchers say.

“Android’s Accessibility API allows MaliBot to perform input as if it were the victim. It abuses this feature to implement something resembling a [Virtual Network Computing] server that allows remote control of the victim’s device. The attacker is able to obtain screenshots of the victim and send input commands to the malware to perform actions,” they explain.

“This effectively creates a Remote Access Trojan (RAT) based on the Accessibility API that allows the attacker to easily access the device remotely,” they add.

MaliBot is a “clear example” of the diversity of mobile banking Trojan threats, says Richard Melick, director of threat reporting for mobile security provider Zimperium.

“Even with the recent shutdown of the TeaBot and FluBot malware campaigns, malicious actors are constantly evolving their tactics to reach their targets. Mobile banking apps are proven, high-value targets with little security in place to prevent the Financial institutions need to implement better security controls and active threat detections to stay ahead of rapidly evolving threats like these,” says Melick.