While tracking the mobile banking malware FluBot, the researchers at F5 Labs discovered the new Malibot threat targeting Android phones. Malibot has a number of features and capabilities that make it an important threat to consider.
TO SEE: Mobile Device Security Policy (Tech Republic Premium)
How is Malibot distributed?
Malibot is currently distributed by cyber criminals through two different channels.
The first method of distribution is via the web: the fraudsters have created two different websites called “Mining X” and “TheCryptoApp” (Image A and Figure B†
TheCryptoApp campaign impersonates a legitimate cryptocurrency tracker application. The user only gets infected and gets the malware link only when browsing from an Android phone. Browsing from another device will lead to the user getting a legitimate link to the genuine TheCryptoApp application in the Google Play Store. A direct download link is offered to the Android users outside the Google Play Store.
As for the Mining X distribution campaign, clicking on the download link of the website will open a window with a QR code to download the application.
The second distribution channel is via smishing, directly on Android phones: Malibot has the ability to send on-demand text messages and once it receives such a command, it sends texts on a phone book provided by the Malibot command and control server.
What data does Malibot steal?
Malibot is designed to steal information such as personal information, references and financial knowledge. To achieve this goal, it can steal cookies, multi-factor authentication data and crypto wallets.
Malibot has a mechanism to collect Google account credentials. When the victim opens a Google application, the malware opens a WebView to a Google login page, forcing the user to sign in and not allowing the user to click a back button.
In addition to collecting the Google account credentials, Malibot can also bypass Google’s 2FA. When the user tries to connect to their Google account, a Google prompt screen is displayed that immediately validates the malware. The 2FA code is sent to the attacker instead of the legitimate user and is then retrieved by the malware to validate the authentication.
Multiple injections for selected online services
The list of infected devices is also provided to the attacker by the malware, letting the attacker know which application can be hacked by the malware to show an injection instead. An inject is a page shown to the user that perfectly imitates the legitimate one (Figure C†
According to F5 Labs, the Malibot is injecting financial institutions in Spain and Italy.
In addition to the method used to steal Google accounts, Malibot can also steal on-demand multi-factor authentication codes from Google Authenticator. MFA codes sent to the mobile phone by SMS are intercepted and exfiltrated by the malware.
Malibot can steal data from Binance and Trust cryptocurrency wallets.
The malware tries to get the total balance of the victim’s wallets for both Binance and Trust and export it to the C2 server.
As for the Trust wallet, Malibot can also collect the seed phrases for the victim, allowing the attacker to later transfer all the funds to another wallet of their choice.
Malibot can send text messages on demand. While it usually uses this capability to spread via smishing, it can also send Premium SMSes that charge the victim’s mobile credits, if enabled.
How does Malibot gain control of the infected device?
Malibot makes heavy use of Android’s accessibility API, which allows mobile applications to perform actions on behalf of the user. This allows the malicious software to steal information and maintain persistence. More specifically, it protects itself from uninstalling and removing permissions by looking at specific text or labels on the screen and hitting the back button to avoid the action.
Malibot: A Very Active Threat
Malibot developers want it to go unnoticed and persist on infected devices for as long as possible. To avoid being killed or interrupted by the operating system in case of inactivity, the malware is set up as a launcher. Each time its activity is checked, the service is started or woken up.
A few extra protections are included in the malware, but are not used. F5 researchers have found a feature to detect whether the malware is running in a simulated environment. Another unused feature sets the malware as a hidden application.
More Malibot targets are coming, US may have already been hit
While the F5 Labs investigation revealed targets in Spain and Italy, they also found ongoing activity that could indicate cybercriminals targeting US citizens.
One domain used by the same threat actor impersonates US tax authorities and leads to a “Trust NFT” website (Figure D) to download the malware.
Another website that uses the COVID-19 theme in its domain name leads to the same content. Researchers expect the attackers to deploy more malware through these new websites in other parts of the world, including the US
How to protect yourself from Malibot
The malware is only distributed from websites built by the cyber criminals and via SMS. It is currently not distributed through any legitimate Android platform like the Google Play Store.
Never install an application on an Android device that can be downloaded directly with one click. Users should only install applications from trusted and legitimate application stores and platforms. Users should never install applications from a link they receive by SMS.
Install comprehensive security applications on the Android device to protect it from known threats.
When installing an application, permissions should be carefully checked. Malibot malware for SMS send permissions on first boot, which should arouse suspicion.
Disclosure: I work for Trend Micro, but the opinions expressed in this article are my own.