F5 Labs has discovered a new malware for Android that targets online banking and cryptocurrency wallet customers in Spain and Italy. Trojan MaliBot allows an attacker to:
- steal credentials and cookies ;
- bypass multi-factor authentication ( MFA );
- use the Android Accessibility service to monitor the screen of the victim’s device.
MaliBot disguises itself as applications for mining cryptocurrencies (Mining X and The CryptoApp) that are distributed through fraudulent websites. MaliBot uses smishing to distribute malicious programs by sending phishing SMS messages with links to malware.
“The MaliBot Command and Control Center (Command and Control, C2) is located in Russia and on the same servers that were used to distribute malware Sality . This is a modified SOVA Trojan with other functionality, goals, C2 servers, and domains”,— said F5 Labs researcher Dor Nizar.
MaliBot targets UniCredit, Santander, CaixaBank and CartaBCC banks. The Trojan can read 2FA codes from the Google Authenticator app, as well as reveal the total balance and led phrases Binance and Trust Wallet wallets.
«Versatility MaliBot and control of the device mean that the Trojan can be used for a wider range of attacks than stealing credentials and cryptocurrencies“, — the researchers said.