DroidBot is an advanced Android Remote Access Trojan (RAT) that targets 77 different organizations, including national organizations, cryptocurrency exchanges, and banks.
Active campaigns have been detected in countries including the United Kingdom, Italy, France, Spain, and Portugal, indicating a potential spread into Latin America.
Researchers found and examined this novel Android Remote Access Trojan (RAT) in late October 2024. Following an assessment, signs of this threat were discovered dating back to June 2024.
Following an analysis of DroidBot samples, its Malware-as-a-Service (MaaS) infrastructure was also discovered, with 17 different affiliate organizations identified and given unique identifiers.
Overview Of The DroidBot Malware
DroidBot is a sophisticated Android Remote Access Trojan (RAT) that includes characteristics typically found in spyware with traditional hidden VNC and overlay capabilities.
“It includes a keylogger and monitoring routines that enable the interception of user interactions, making it a powerful tool for surveillance and credential theft”, the Cleafy TIR team.
Free Webinar on Best Practices for API vulnerability & Penetration Testing: Free Registration
DroidBot’s dual-channel communication system is one of its unique features. Inbound commands, like overlay target parameters, are received over HTTPS, while outgoing data from compromised devices is sent using the MQTT (Message Queuing Telemetry Transport) protocol. Its operational flexibility and robustness are improved by this separation.
Based on the information found in malware samples (such as configuration files and debug strings), researchers believe that most of its developers speak Turkish.
The malware also seems to be actively being developed. While some features (including obfuscation, emulator checks, and multi-stage unpacking) differ between samples, others, like root checks, are placeholders that have not yet been properly implemented.
“The combination of advanced surveillance features, dual-channel communication, a diverse target list, and an active MaaS infrastructure highlights DroidBot’s sophistication and adaptability”, researchers said.
“As it evolves, this malware poses an escalating threat to financial institutions, government entities, and other high-value targets across multiple regions”.
TTP Behind DroidBot Campaigns
Attackers use popular decoys commonly seen in banking malware distribution efforts to trick victims into downloading and installing DroidBot.
Here, the malware poses as well-known banking apps, Google services, or generic security apps.
DroidBot’s malicious operations mostly rely on abusing Accessibility Services.The B4A framework, which is widely used for native Android applications, seems to have been used in the development of DroidBot.
It is noteworthy that B4A is frequently utilized in malware created by Brazilian TAs, including the Brata family and its well-known CopyBara variation.
The functionalities of the Android banking malware are as follows:
SMS Interception: Monitors incoming SMS messages, which financial institutions frequently use to provide transaction authentication numbers (TANs).
Key-Logging: Uses Accessibility Services to steal private data, including account balances, login credentials, and personal information.
Overlay Attack: A fake login page is shown to steal valid credentials.
VNC-Like Routine: Captures screenshots of the victim’s device, giving threat actors ongoing visual information that gives them a picture of what the device is doing in real-time.
Screen Interaction: Allows for remote control of the compromised device and involves carrying out commands to mimic user behaviors including pressing buttons, filling forms, and navigating via apps.
In the realm of cybercrime, malware developers use a business model known as Malware-as-a-Service (MaaS) to sell their dangerous software and services to other cybercriminals.
An analysis of malware settings and DroidBot Command-and-Control (C2) infrastructures revealed signs of a private MaaS network.
Droidbot presents a well-known but not widely used paradigm in the field of mobile threats.
Although the technological challenges are not very high, the new distribution and affiliation model raises serious concerns because it would significantly increase attack surface monitoring.
Researchers say this might be a crucial aspect because changing the scale of such a huge dataset could make the cognitive load much higher.
This could seriously overburden financial institutions’ anti-fraud teams if a real-time monitoring system does not effectively back it.
Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses