As many as 77 banking establishments, cryptocurrency exchanges, and nationwide organizations have turn into the goal of a newly found Android distant entry trojan (RAT) referred to as DroidBot.
“DroidBot is a contemporary RAT that mixes hidden VNC and overlay assault methods with spyware-like capabilities, corresponding to keylogging and consumer interface monitoring,” Cleafy researchers Simone Mattia, Alessandro Strino, and Federico Valentini mentioned.
“Furthermore, it leverages dual-channel communication, transmitting outbound knowledge by way of MQTT and receiving inbound instructions through HTTPS, offering enhanced operation flexibility and resilience.”
The Italian fraud prevention firm mentioned it found the malware in late October 2024, though there may be proof to counsel that it has been lively since a minimum of June, working beneath a malware-as-a-service (MaaS) mannequin for a month-to-month price of $3,000.
At least 17 affiliate teams have been recognized as paying for entry to the providing. This additionally contains entry to an internet panel from the place they will modify the configuration to create customized APK information embedding the malware, in addition to work together with the contaminated gadgets by issuing varied instructions.
Campaigns leveraging DroidBot have been primarily noticed in Austria, Belgium, France, Italy, Portugal, Spain, Turkey, and the UK. The malicious apps are disguised as generic safety purposes, Google Chrome, or standard banking apps.
Whereas the malware leans closely on abusing Android’s accessibility providers to reap delicate knowledge and remotely management the Android machine, it stands aside for leveraging two completely different protocols for command-and-control (C2).
Particularly, DroidBot employs HTTPS for inbound instructions, whereas outbound knowledge from contaminated gadgets is transmitted utilizing a messaging protocol referred to as MQTT.
“This separation enhances its operational flexibility and resilience,” the researchers mentioned. “The MQTT dealer utilized by DroidBot is organised into particular subjects that categorise the kinds of communication exchanged between the contaminated gadgets and the C2 infrastructure.”
The precise origins of the menace actors behind the operation should not identified, though an evaluation of the malware samples has revealed that they’re Turkish audio system.
“The malware introduced right here might not shine from a technical standpoint, as it’s fairly just like identified malware households,” the researchers famous. “Nonetheless, what actually stands out is its operational mannequin, which carefully resembles a Malware-as-a-Service (MaaS) scheme – one thing not generally seen in such a menace.”