![]() TheCryptoApp campaign attempts to trick people into downloading their malware instead of the legitimate TheCryptoApp – a cryptocurrency tracker app with more than 1 million downloads in the Google Play Store. The malware authors have so far created two campaigns– “Mining X” and “TheCryptoApp” – each of which has a website with a download link to the malware (see Campaign Screenshots in the Appendix). Extensive logging of any successful or failed operations, phone activities (calls, SMS) and any errorsĭistribution of MaliBot is performed by attracting victims to fraudulent websites where they are tricked into downloading the malware, or by directly sending SMS phishing messages (smishing) to mobile phone numbers.Information gathering from the device, including its IP, AndroidID, model, language, installed application list, screen and locked states, and reporting on the malware’s own capabilities.The ability to send SMS messages on demand.The ability to run and delete applications on demand.VNC access to the device and screen capturing.The ability to by-pass Google two-step authentication.Theft of cryptocurrency wallets (Binance, Trust).MaliBot has an extensive array of features: It is a heavily modified re-working of the SOVA malware, with different functionality, targets, C2 servers, domains and packing schemes. Many campaigns have originated from this IP since June of 2020 (see Indicators of Compromise). MaliBot’s command and control (C2) is in Russia and appears to use the same servers that were used to distribute the Sality malware. This article is a deep dive into the tactics and techniques this malware strain employs to steal personal data and evade detection. It includes the ability to remotely control infected devices using a VNC server implementation.Malibot is capable of stealing and bypassing multi-factor (2FA/MFA) codes.MaliBot is focused on stealing financial information, credentials, crypto wallets, and personal data (PII), and also targets financial institutions in Italy and Spain.MaliBot disguises itself as a cryptocurrency mining app named “Mining X” or “The CryptoApp”, and occasionally assumes some other guises, such as “MySocialSecurity” and “Chrome”.Some of MaliBot’s key characteristics include: While its main targets are online banking customers in Spain and Italy, its ability to steal credentials, cookies, and bypass multi-factor authentication (MFA) codes, means that Android users all over the world must be vigilant. While tracking the mobile banking trojan FluBot, F5 Labs recently discovered a new strain of Android malware which we have dubbed “MaliBot”. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |