DroidBot, a new Android banking malware, has emerged as a significant threat, targeting over 77 banking and cryptocurrency apps across regions like the UK, Italy, France, Spain, and Portugal. Discovered in December 2024 by Cleafy researchers, the malware has been active since June 2024 and operates as a malware-as-a-service (MaaS) platform. The creators, believed to be based in Turkey, offer affiliates a customizable toolkit for carrying out attacks, lowering the entry barriers for cybercriminals. At least 17 affiliate groups have been identified using the malware to tailor their payloads to specific targets, further increasing its reach.
DroidBot is primarily distributed through fake apps masquerading as trusted services like Google Chrome or Android Security. Once installed on a victim’s device, it begins its malicious activity by logging keystrokes, overlaying fake login pages, and intercepting SMS messages containing one-time passwords (OTPs). These tactics are designed to steal sensitive login credentials from targeted apps such as Binance, KuCoin, BBVA, Unicredit, and Metamask. The malware’s widespread activity has been observed in multiple countries, including the UK, Italy, and Spain, showing its capacity for significant global impact.
The DroidBot operation is built around a MaaS platform, where affiliates can access a builder tool, command and control (C2) servers, and a central admin panel to manage their operations. This system gives affiliates the flexibility to customize the malware for specific targets, including selecting different languages and C2 server addresses. The platform also includes extensive documentation and a Telegram channel for ongoing updates, making it an accessible tool for even low-skilled or inexperienced cybercriminals. The fact that multiple threat groups operate under the same infrastructure is a key feature of this MaaS platform.
In response to the growing threat, experts recommend that Android users take necessary precautions to protect themselves from DroidBot infections. Users are advised to download apps only from official sources like the Google Play Store and to carefully scrutinize permissions requested by apps, especially those requesting access to Android’s Accessibility Services. Enabling Play Protect is another essential step to ensure an additional layer of security. By staying vigilant and informed about potential threats like DroidBot, users can better safeguard their devices and personal information from this evolving malware.
Reference:
