Home Technology New Android banking malware disguised as crypto app to spread

New Android banking malware disguised as crypto app to spread

concept of computer virus on internet, trojan horse combined with encryption program
Image: Jackie Niam/Adobe Stock

While tracking the mobile banking malware FluBot, the researchers at F5 Labs discovered the new Malibot threat targeting Android phones. Malibot has a number of features and capabilities that make it an important threat to consider.

TO SEE: Mobile Device Security Policy (Tech Republic Premium)

How is Malibot distributed?

Malibot is currently distributed by cyber criminals through two different channels.

The first method of distribution is via the web: the fraudsters have created two different websites called “Mining X” and “TheCryptoApp” (Image A and Figure B

Image A

TheCryptoApp website built by the cyber criminals to distribute Malibot.

Figure B

The MiningX website built by the cyber criminals to distribute Malibot.

TheCryptoApp campaign impersonates a legitimate cryptocurrency tracker application. The user only gets infected and gets the malware link only when browsing from an Android phone. Browsing from another device will lead to the user getting a legitimate link to the genuine TheCryptoApp application in the Google Play Store. A direct download link is offered to the Android users outside the Google Play Store.

As for the Mining X distribution campaign, clicking on the download link of the website will open a window with a QR code to download the application.

The second distribution channel is via smishing, directly on Android phones: Malibot has the ability to send on-demand text messages and once it receives such a command, it sends texts on a phone book provided by the Malibot command and control server.

What data does Malibot steal?

Malibot is designed to steal information such as personal information, references and financial knowledge. To achieve this goal, it can steal cookies, multi-factor authentication data and crypto wallets.

google accounts

Malibot has a mechanism to collect Google account credentials. When the victim opens a Google application, the malware opens a WebView to a Google login page, forcing the user to sign in and not allowing the user to click a back button.

In addition to collecting the Google account credentials, Malibot can also bypass Google’s 2FA. When the user tries to connect to their Google account, a Google prompt screen is displayed that immediately validates the malware. The 2FA code is sent to the attacker instead of the legitimate user and is then retrieved by the malware to validate the authentication.

Multiple injections for selected online services

The list of infected devices is also provided to the attacker by the malware, letting the attacker know which application can be hacked by the malware to show an injection instead. An inject is a page shown to the user that perfectly imitates the legitimate one (Figure C

Figure C

Image: F5 Labs. Inject for Unicredit Italian banking company revealed by the malware.

According to F5 Labs, the Malibot is injecting financial institutions in Spain and Italy.

Multi-factor authentication

In addition to the method used to steal Google accounts, Malibot can also steal on-demand multi-factor authentication codes from Google Authenticator. MFA codes sent to the mobile phone by SMS are intercepted and exfiltrated by the malware.

Crypto Wallets

Malibot can steal data from Binance and Trust cryptocurrency wallets.

The malware tries to get the total balance of the victim’s wallets for both Binance and Trust and export it to the C2 server.

As for the Trust wallet, Malibot can also collect the seed phrases for the victim, allowing the attacker to later transfer all the funds to another wallet of their choice.

SMS fraud

Malibot can send text messages on demand. While it usually uses this capability to spread via smishing, it can also send Premium SMSes that charge the victim’s mobile credits, if enabled.

How does Malibot gain control of the infected device?

Malibot makes heavy use of Android’s accessibility API, which allows mobile applications to perform actions on behalf of the user. This allows the malicious software to steal information and maintain persistence. More specifically, it protects itself from uninstalling and removing permissions by looking at specific text or labels on the screen and hitting the back button to avoid the action.

Malibot: A Very Active Threat

Malibot developers want it to go unnoticed and persist on infected devices for as long as possible. To avoid being killed or interrupted by the operating system in case of inactivity, the malware is set up as a launcher. Each time its activity is checked, the service is started or woken up.

A few extra protections are included in the malware, but are not used. F5 researchers have found a feature to detect whether the malware is running in a simulated environment. Another unused feature sets the malware as a hidden application.

More Malibot targets are coming, US may have already been hit

While the F5 Labs investigation revealed targets in Spain and Italy, they also found ongoing activity that could indicate cybercriminals targeting US citizens.

One domain used by the same threat actor impersonates US tax authorities and leads to a “Trust NFT” website (Figure D) to download the malware.

Figure D

New website of the threat actor posing as the US tax authorities in the domain name, not visible to protect the reader.

Another website that uses the COVID-19 theme in its domain name leads to the same content. Researchers expect the attackers to deploy more malware through these new websites in other parts of the world, including the US

How to protect yourself from Malibot

The malware is only distributed from websites built by the cyber criminals and via SMS. It is currently not distributed through any legitimate Android platform like the Google Play Store.

Never install an application on an Android device that can be downloaded directly with one click. Users should only install applications from trusted and legitimate application stores and platforms. Users should never install applications from a link they receive by SMS.

Install comprehensive security applications on the Android device to protect it from known threats.

When installing an application, permissions should be carefully checked. Malibot malware for SMS send permissions on first boot, which should arouse suspicion.

Disclosure: I work for Trend Micro, but the opinions expressed in this article are my own.

RELATED ARTICLES

G7 leaders meet with Zelenskyy, prepare new aid for Ukraine

ELMAU: Leading economic powers granted via video link to Ukrainian president Volodymyr Zelenskyy on Monday, as they underlined their long-term commitment to...

40 years of Toora Women’s Inc: Michelle’s story

Posted June 28, 2022 To honor the work of Toora Women’s Inc in Canberra over the past 40 years, we share the stories of the...

Individual Action, Key to Ocean Recovery — Global Problems

According to the UN Environment Program (UNEP), the amount of marine litter and plastic waste is increasing rapidly. And without meaningful action, plastic...

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

G7 leaders meet with Zelenskyy, prepare new aid for Ukraine

ELMAU: Leading economic powers granted via video link to Ukrainian president Volodymyr Zelenskyy on Monday, as they underlined their long-term commitment to...

40 years of Toora Women’s Inc: Michelle’s story

Posted June 28, 2022 To honor the work of Toora Women’s Inc in Canberra over the past 40 years, we share the stories of the...

Individual Action, Key to Ocean Recovery — Global Problems

According to the UN Environment Program (UNEP), the amount of marine litter and plastic waste is increasing rapidly. And without meaningful action, plastic...

Your Guide to 2022 Fourth of July Celebrations in the Baltimore Area – Boston Herald

For the first time since 2019, fireworks will light up the Baltimore skyline on July 4. A variety of events and musical performances in and...