Pierluigi Paganini June 18, 2022

Malibot is a new Android malware targeting online banking and cryptocurrency wallet customers in Spain and Italy.

F5 Labs researchers spotted a new strain of Android malware, named Malibot, that is targeting online banking and cryptocurrency wallet customers in Spain and Italy. The experts documented attacks against multiple banks, including UniCredit, Santander, CaixaBank, and CartaBCC.

The malware was discovered two weeks after an international law enforcement operation dismantled the FluBot malware.

The malware supports a broad range of features, including the ability to steal credentials, cookies, and bypass multi-factor authentication (MFA) codes. The malicious code also is also able to remotely control infected devices using a VNC server implementation

MaliBot disguises itself as a cryptocurrency mining app named “Mining X” or “The CryptoApp”, experts also observed the malicious code masqueraded as “MySocialSecurity” and “Chrome” apps.

The experts discovered that the C2 is in Russia and that the malware used the same servers that were associated with the Sality malware operation. The C2 is active at least since June of 2020, the malware is a heavily modified re-working of the SOVA Android banking trojan, but supports different functionality, and has different targets, C2 servers, domains and packing schemes.

The malware is distributed through malicious websites or via smashing attacks.

“Distribution of MaliBot is performed by attracting victims to fraudulent websites where they are tricked into downloading the malware, or by directly sending SMS phishing messages (smishing) to mobile phone numbers.” reads the advisory published by F5 Labs.

Like other banking Trojan, Malibot abuses the Accessibility Service to implements a VNC-like functionality using the Accessibility API, grabs information from screen, and populate bus object which saves device’s states.

“MaliBot listens for events using the Accessibility Service. If it detects that the victim has opened an app on the list of targets, it will set up a WebView that displays an HTML overlay to the victim.” continues the report.

Malibot abuses the access to the Accessibility API to bypass Google 2FA methods.

“MaliBot is most obviously a threat to customers of Spanish and Italian banks, but we can expect a broader range of targets to be added to the app as time goes on. In addition, the versatility of the malware and the control it gives attackers over the device mean that it could, in principle, be used for a wider range of attacks than stealing credentials and cryptocurrency.” concludes the report. “In fact, any application which makes use of WebView is liable to having the users’ credentials and cookies stolen.”

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Malibot)

[adrotate banner=”5″]

[adrotate banner=”13″]