Researchers have spotted a new strain of Android malware, named Malibot, that is targeting online banking and cryptocurrency wallet customers in Spain and Italy.
Attacks were against multiple banks, including UniCredit, Santander, CaixaBank, and CartaBCC.
The malware features, including the ability to steal credentials, cookies, and bypass MFA codes. The malicious code also is also able to remotely control infected devices using a VNC server implementation
MaliBot disguises itself as a cryptocurrency mining app named “Mining X” or “The CryptoApp”, also the malicious code masqueraded as “MySocialSecurity” and “Chrome” apps.
The C2 is in Russia and that the malware used the same servers that were associated with the Sality malware operation. The malware is a heavily modified re-working of the SOVA Android banking trojan, but supports different functionality, and has different targets, C2 servers, domains and packing schemes.
These are the Google Apps MaliBot monitors and initiates a WebView to collect credentials upon launch:
MaliBot uses the “shouldInterceptRequest” WebView function to intercept the URLs that will be loaded to the WebView. By intercepting the URLs of the WebView, MaliBot knows which of four login stages the victim is in:
- https://accounts.google[.]com/signin/v2/identifier – login page
- https://accounts.google[.]com/_/lookup/accountlookup – Checks if Email exists
- https://accounts.google[.]com/_/signin/challenge – MFA challenge page
- https://myaccount.google[.]com – Successful login page
The malware is distributed through malicious websites or via smashing attacks.
Malibot abuses the Accessibility Service to implements a VNC-like functionality using the Accessibility API, grabs information from screen, and populate bus object which saves device’s states.
Malibot abuses the access to the Accessibility API to bypass Google 2FA methods.
MaliBot is most obviously a threat to customers of Spanish and Italian banks, but we can expect a broader range of targets to be added to the app as time goes on. The versatility of the malware and the control it gives attackers over the device mean that it could, in principle, be used for a wider range of attacks than stealing credentials and cryptocurrency.
This research conducted by experts from F5 labs.