### #DroidBot #AndroidRAT #MalwareAsAService
Summary: A newly discovered Android remote access trojan (RAT) named DroidBot has targeted 77 banking institutions and organizations, utilizing advanced techniques for data exfiltration and device control. Operating under a malware-as-a-service model, it has attracted at least 17 affiliate groups for its capabilities.
Threat Actor: Unknown | DroidBot
Victim: Various banking institutions and organizations | banking institutions
Key Point :
- DroidBot combines hidden VNC and overlay attack techniques with keylogging and user interface monitoring.
- The malware operates using dual-channel communication, employing MQTT for outbound data and HTTPS for inbound commands.
- It has been active since at least June 2024 and is offered as a service for $3,000 per month.
- Malicious apps are disguised as security applications, Google Chrome, or popular banking apps.
- Campaigns have been primarily observed in several European countries, including Austria, France, and the UK.
- The operational model of DroidBot resembles a Malware-as-a-Service scheme, which is uncommon for this type of threat.
As many as 77 banking institutions, cryptocurrency exchanges, and national organizations have become the target of a newly discovered Android remote access trojan (RAT) called DroidBot.
“DroidBot is a modern RAT that combines hidden VNC and overlay attack techniques with spyware-like capabilities, such as keylogging and user interface monitoring,” Cleafy researchers Simone Mattia, Alessandro Strino, and Federico Valentini said.
“Moreover, it leverages dual-channel communication, transmitting outbound data through MQTT and receiving inbound commands via HTTPS, providing enhanced operation flexibility and resilience.”
The Italian fraud prevention company said it discovered the malware in late October 2024, although there is evidence to suggest that it has been active since at least June, operating under a malware-as-a-service (MaaS) model for a monthly fee of $3,000.
No less than 17 affiliate groups have been identified as paying for access to the offering. This also includes access to a web panel from where they can modify the configuration to create custom APK files embedding the malware, as well as interact with the infected devices by issuing various commands.
Campaigns leveraging DroidBot have been primarily observed in Austria, Belgium, France, Italy, Portugal, Spain, Turkey, and the United Kingdom. The malicious apps are disguised as generic security applications, Google Chrome, or popular banking apps.
While the malware leans heavily on abusing Android’s accessibility services to harvest sensitive data and remotely control the infected devices, it stands apart for leveraging two different protocols for command-and-control (C2).
Specifically, DroidBot employs HTTPS for inbound commands, whereas outbound data from infected devices is transmitted using a messaging protocol called MQTT.
“This separation enhances its operational flexibility and resilience,” the researchers said. “The MQTT broker used by DroidBot is organised into specific topics that categorise the types of communication exchanged between the infected devices and the C2 infrastructure.”
The exact origins of the threat actors behind the operation are not known, although an analysis of the malware samples has revealed that they are Turkish speakers.
“The malware presented here may not shine from a technical standpoint, as it is quite similar to known malware families,” the researchers noted. “However, what really stands out is its operational model, which closely resembles a Malware-as-a-Service (MaaS) scheme – something not commonly seen in this type of threat.”
Source: https://thehackernews.com/2024/12/this-3000-android-trojan-targeting.html