New MaliBot Android Malware Mines Cryptocurrency
The Malware Acts by Targeting Consumers in Italy and Spain.
MaliBot can steal screenshots, intercept notifications and SMS messages, log boot operations, and provide its operators with remote control capabilities using a VNC system.
The operators are granted the ability to travel between displays through VNC, as well as a scroll, take screenshots, copy and paste material, swipe, and conduct long pushes. In addition, the virus is capable of stealing MFA codes from Google Authenticator and carrying out this activity on demand, launching the authentication app without the involvement of the user.
MaliBot is primarily concerned with collecting personal information and financial data such as credentials for online banking services, passwords for cryptocurrency wallets, and other sensitive information, it is also capable of obtaining two-factor authentication tokens from notifications.
According to a research published by F5 Labs, whose analysts uncovered the new virus, it is now making use of several distribution routes, most likely with the intention of filling the market vacuum that was left when the FluBot operation was abruptly shut down.
MaliBot is most obviously a threat to customers of Spanish and Italian banks, but we can expect a broader range of targets to be added to the app as time goes on. In addition, the versatility of the malware and the control it gives attackers over the device mean that it could, in principle, be used for a wider range of attacks than stealing credentials and cryptocurrency. In fact, any application which makes use of WebView is liable to having the users’ credentials and cookies stolen.
As BleepingComputer explained, the command and control server for Malibot is located in Russia, and the IP address of that server has been linked to many distribution operations for malware going all the way back to June 2020.
MaliBot is spread to victims via the use of websites that offer bitcoin apps in the form of APKs. Victims then manually download and install these programs on their devices.
Smishing, often known as SMS phishing, is another method that MaliBot operators employ to disseminate their payloads to a list of phone numbers that has been compiled by the C2. These messages are sent from smartphones that have been hacked and have had their “send SMS” authorization abused.