As many as 77 banking establishments, cryptocurrency exchanges, and nationwide organizations have grow to be the goal of a newly found Android distant entry trojan (RAT) referred to as DroidBot.
“DroidBot is a contemporary RAT that mixes hidden VNC and overlay assault methods with spyware-like capabilities, resembling keylogging and consumer interface monitoring,” Cleafy researchers Simone Mattia, Alessandro Strino, and Federico Valentini mentioned.
“Furthermore, it leverages dual-channel communication, transmitting outbound information via MQTT and receiving inbound instructions by way of HTTPS, offering enhanced operation flexibility and resilience.”
The Italian fraud prevention firm mentioned it found the malware in late October 2024, though there’s proof to counsel that it has been lively since no less than June, working beneath a malware-as-a-service (MaaS) mannequin for a month-to-month payment of $3,000.
At least 17 affiliate teams have been recognized as paying for entry to the providing. This additionally contains entry to an online panel from the place they’ll modify the configuration to create customized APK information embedding the malware, in addition to work together with the contaminated gadgets by issuing numerous instructions.
Campaigns leveraging DroidBot have been primarily noticed in Austria, Belgium, France, Italy, Portugal, Spain, Turkey, and the UK. The malicious apps are disguised as generic safety purposes, Google Chrome, or fashionable banking apps.
Whereas the malware leans closely on abusing Android’s accessibility companies to reap delicate information and remotely management the Android gadget, it stands aside for leveraging two totally different protocols for command-and-control (C2).
Particularly, DroidBot employs HTTPS for inbound instructions, whereas outbound information from contaminated gadgets is transmitted utilizing a messaging protocol referred to as MQTT.
“This separation enhances its operational flexibility and resilience,” the researchers mentioned. “The MQTT dealer utilized by DroidBot is organised into particular matters that categorise the kinds of communication exchanged between the contaminated gadgets and the C2 infrastructure.”
The precise origins of the risk actors behind the operation will not be recognized, though an evaluation of the malware samples has revealed that they’re Turkish audio system.
“The malware offered right here might not shine from a technical standpoint, as it’s fairly much like recognized malware households,” the researchers famous. “Nonetheless, what actually stands out is its operational mannequin, which intently resembles a Malware-as-a-Service (MaaS) scheme – one thing not generally seen in the sort of risk.”
