As many as 77 banking establishments, cryptocurrency exchanges, and nationwide organizations have grow to be the goal of a newly found Android distant entry trojan (RAT) referred to as DroidBot.
“DroidBot is a contemporary RAT that mixes hidden VNC and overlay assault strategies with spyware-like capabilities, resembling keylogging and person interface monitoring,” Cleafy researchers Simone Mattia, Alessandro Strino, and Federico Valentini mentioned.
“Furthermore, it leverages dual-channel communication, transmitting outbound knowledge by way of MQTT and receiving inbound instructions through HTTPS, offering enhanced operation flexibility and resilience.”
The Italian fraud prevention firm mentioned it found the malware in late October 2024, though there’s proof to recommend that it has been lively since no less than June, working underneath a malware-as-a-service (MaaS) mannequin for a month-to-month price of $3,000.
At least 17 affiliate teams have been recognized as paying for entry to the providing. This additionally consists of entry to an internet panel from the place they will modify the configuration to create customized APK information embedding the malware, in addition to work together with the contaminated gadgets by issuing varied instructions.
Campaigns leveraging DroidBot have been primarily noticed in Austria, Belgium, France, Italy, Portugal, Spain, Turkey, and the UK. The malicious apps are disguised as generic safety purposes, Google Chrome, or common banking apps.
Whereas the malware leans closely on abusing Android’s accessibility providers to reap delicate knowledge and remotely management the Android gadget, it stands aside for leveraging two totally different protocols for command-and-control (C2).
Particularly, DroidBot employs HTTPS for inbound instructions, whereas outbound knowledge from contaminated gadgets is transmitted utilizing a messaging protocol referred to as MQTT.
“This separation enhances its operational flexibility and resilience,” the researchers mentioned. “The MQTT dealer utilized by DroidBot is organised into particular subjects that categorise the varieties of communication exchanged between the contaminated gadgets and the C2 infrastructure.”
The precise origins of the menace actors behind the operation should not recognized, though an evaluation of the malware samples has revealed that they’re Turkish audio system.
“The malware offered right here might not shine from a technical standpoint, as it’s fairly much like recognized malware households,” the researchers famous. “Nevertheless, what actually stands out is its operational mannequin, which carefully resembles a Malware-as-a-Service (MaaS) scheme – one thing not generally seen in the sort of menace.”