The information stealing trojan, codenamed MaliBot by F5 Labs, is as feature-rich as its counterparts, allowing it to steal credentials and cookies, bypass multi-factor authentication (MFA) codes, and abuse Android’s Accessibility Service to monitor the victim’s device screen.
MaliBot is known to primarily disguise itself as cryptocurrency mining apps such as Mining X or The CryptoApp that are distributed via fraudulent websites designed to attract potential visitors into downloading them.
It also takes another leaf out of the mobile banking trojan playbook in that it employs smishing as a distribution vector to proliferate the malware by accessing an infected smartphone’s contacts and sending SMS messages containing links to the malware.
“MaliBot’s command-and-control (C2) is in Russia and appears to use the same servers that were used to distribute the Sality malware,” F5 Labs researcher Dor Nizar said. “It is a heavily modified re-working of the SOVA malware, with different functionality, targets, C2 servers, domains, and packing schemes.”
SOVA (meaning “Owl” in Russian), which was first detected in August 2021, is notable for its ability to conduct overlay attacks, which work by displaying a fraudulent page using WebView with a link provided by the C2 server should a victim open a banking app included in its active target list.
Some of the banks targeted by MaliBot using this approach include UniCredit, Santander, CaixaBank, and CartaBCC.
Accessibility Service is a background service running in Android devices to assist users with disabilities. It has long been leveraged by spyware and trojans to capture the device contents and intercept credentials entered by unsuspecting users on other apps.
Besides being able to siphon passwords and cookies of the victim’s Google account, the malware is designed to swipe 2FA codes from the Google Authenticator app as well as exfiltrate sensitive information such as total balances and seed phrases from Binance and Trust Wallet apps.
What’s more, Malibot is capable of weaponizing its access to the Accessibility API to defeat Google’s two-factor authentication (2FA) methods, such as Google prompts, even in scenarios where an attempt is made to sign in to the accounts using the stolen credentials from a previously unknown device.
“The versatility of the malware and the control it gives attackers over the device mean that it could, in principle, be used for a wider range of attacks than stealing credentials and cryptocurrency,” the researchers said.
“In fact, any application which makes use of WebView is liable to having the users’ credentials and cookies stolen.”