As many as 77 banking establishments, cryptocurrency exchanges, and nationwide organizations have turn into the goal of a newly found Android distant entry trojan (RAT) referred to as DroidBot.
“DroidBot is a modern RAT that combines hidden VNC and overlay attack techniques with spyware-like capabilities, such as keylogging and user interface monitoring,” Cleafy researchers Simone Mattia, Alessandro Strino, and Federico Valentini stated.
“Moreover, it leverages dual-channel communication, transmitting outbound data through MQTT and receiving inbound commands via HTTPS, providing enhanced operation flexibility and resilience.”
The Italian fraud prevention firm stated it found the malware in late October 2024, though there may be proof to counsel that it has been lively since at the least June, working below a malware-as-a-service (MaaS) mannequin for a month-to-month charge of $3,000.
A minimum of 17 affiliate teams have been recognized as paying for entry to the providing. This additionally consists of entry to an internet panel from the place they’ll modify the configuration to create customized APK information embedding the malware, in addition to work together with the contaminated gadgets by issuing numerous instructions.
Campaigns leveraging DroidBot have been primarily noticed in Austria, Belgium, France, Italy, Portugal, Spain, Turkey, and the UK. The malicious apps are disguised as generic safety functions, Google Chrome, or well-liked banking apps.
Whereas the malware leans closely on abusing Android’s accessibility companies to reap delicate knowledge and remotely management the Android machine, it stands aside for leveraging two completely different protocols for command-and-control (C2).
Particularly, DroidBot employs HTTPS for inbound instructions, whereas outbound knowledge from contaminated gadgets is transmitted utilizing a messaging protocol referred to as MQTT.
“This separation enhances its operational flexibility and resilience,” the researchers stated. “The MQTT broker used by DroidBot is organised into specific topics that categorise the types of communication exchanged between the infected devices and the C2 infrastructure.”
The precise origins of the risk actors behind the operation should not recognized, though an evaluation of the malware samples has revealed that they’re Turkish audio system.
“The malware presented here may not shine from a technical standpoint, as it is quite similar to known malware families,” the researchers famous. “However, what really stands out is its operational model, which closely resembles a Malware-as-a-Service (MaaS) scheme – something not commonly seen in this type of threat.”
