A new banking Trojan has been discovered for Android

Share This Post

MaliBot is known to primarily disguise itself as cryptocurrency mining apps such as Mining X or The CryptoApp that are distributed via fraudulent websites designed to attract potential visitors into downloading them. It also takes another leaf out of the mobile banking trojan playbook in that it employs smishing as a distribution vector to proliferate the malware by accessing an infected smartphone’s contacts and sending SMS messages containing links to the malware.

Just weeks after a concerted law enforcement effort demolished FluBot, a new strain of Android malware has been found in the wild targeting online banking and cryptocurrency wallet consumers in Spain and Italy. F5 Labs’ information-stealing trojan, nicknamed MaliBot, is as feature-rich as its competitors, allowing it to collect passwords and cookies, circumvent multi-factor authentication (MFA) codes, and watch the victim’s device screen via Android’s Accessibility Service.


  • Accessibility Service is a background service running in Android devices to assist users with disabilities. It has long been leveraged by spyware and trojans to capture the device contents and intercept credentials entered by unsuspecting users on other apps. Besides being able to siphon passwords and cookies of the victim’s Google account, the malware is designed to swipe 2FA codes from the Google Authenticator app as well as exfiltrate sensitive information such as total balances and seed phrases from Binance and Trust Wallet apps. What’s more, Malibot is capable of weaponizing its access to the Accessibility API to defeat Google’s two-factor authentication (2FA) methods, such as Google prompts, even in scenarios where an attempt is made to sign in to the accounts using the stolen credentials from a previously unknown device.

  • “MaliBot’s command-and-control (C2) is in Russia and appears to use the same servers that were used to distribute the Sality malware,” F5 Labs researcher Dor Nizar said. “It is a heavily modified re-working of the SOVA malware, with different functionality, targets, C2 servers, domains, and packing schemes.” SOVA (meaning “Owl” in Russian), which was first detected in August 2021, is notable for its ability to conduct overlay attacks, which work by displaying a fraudulent page using WebView with a link provided by the C2 server should a victim open a banking app included in its active target list. Some of the banks targeted by MaliBot using this approach include UniCredit, Santander, CaixaBank, and CartaBCC.


Related Posts

Rewind: a decade of iPhone camera innovation

If you skim the charts below you will see...

Westpac payment terminals will use Android Phone

The service, named Westpac Tap On Phone, will offer...

The victim took a photo on the phone and the man was charged with murder

A witness told police that Martinez had been parked...

Available for iOS and Android, Landindex is the Metaverse’s terrestrial data aggregation and analysis app

“The metaverse is growing exponentially,” said Mert Eskinat, CEO...
- Advertisement -spot_img