While tracking down the FluBot mobile banking Trojan, F5 Labs recently discovered “MaliBot”, a new strain of Android malware.
While its main targets are online banking customers in Spain and Italy, its ability to steal credentials, cookies and bypass multi-factor authentication (MFA) codes means that Android users around the world must be vigilant. Key features include:
- MaliBot disguises itself as a cryptocurrency mining app named “Mining X” or “The CryptoApp”, and sometimes takes other guises, such as “MySocialSecurity” and “Chrome”.
- MaliBot focuses on stealing financial information, credentials, crypto wallets, and personal data (PII), and also targets financial institutions in Italy and Spain.
- Malibot is able to steal and bypass multi-factor codes (2FA/MFA).
- It includes the ability to remotely control infected devices using a VNC server implementation.
MaliBot is clearly a threat to customers of Spanish and Italian banks, but F5 Labs expects a wider range of targets to be added to the app over time.
Additionally, the versatility of the malware and the control it gives attackers over the device means that it could, in principle, be used for a wider range of attacks than credential theft and of cryptocurrency. Indeed, any application using WebView is likely to have user IDs and cookies stolen.
“This research from F5 Labs reminds mobile app developers and users of the need to stay alert to the threat of malware and avoid falling victim to mobile banking fraud,” said Mohammed AbuKhater, vice president for the Middle East and Africa at F5.
“Users should follow security best practices, ensuring that their Android devices only install apps from approved marketplaces, such as Google Play. We strongly discourage installing apps from websites, especially if you received a link to this site via email or text message. Users should also understand the risk of granting powerful permissions, such as accessibility, to any app they install. Developers should take into account that sophisticated malware is increasingly capable of bypassing 2-factor authentication and building additional layers of security into applications, especially those providing access to financial accounts” .
The F5 Labs 2022 Application Protection Report also noted that while the rise of ransomware has been the most dramatic attacker trend over the past two years, 2021 has also seen a more subtle increase in malware infections that exfiltrated data without pursuing encryption and a ransom. Such a capable and versatile example of mobile malware is a reminder that attack trends of the day are never the only threat worth paying attention to.
The full analysis of the discovery can be found here: https://www.f5.com/labs/articles/threat-intelligence/f5-labs-investigates-malibot