Android malware named MaliBot disguises itself as Chrome and Crypto Mining app to financially exploit victims.
Cybersecurity researchers have discovered a new banking malware for Android identified as MaliBot. This malware pretends to be an application for cryptocurrency mining or Chrome web browser.
MaliBot mainly works on collecting personal information and financial data such as online banking credentials, passwords for cryptocurrency wallets, and other sensitive information.
MaliBot, the newly detected strain of Android malware, has just been detected. This was discovered while the FluBot mobile banking trojan was under investigation. Online banking users in Spain and Italy are the main targets of this malware. Upon its discovery, this malware was found to have serious and menacing implications.
BleepingComputer reported that the bot has the power to steal credentials and cookies and bypass multi-factor authentication (MFA) codes. It only means that Android users around the world should be on the lookout for suspicious activity. After installation, corruption of MaliBot, it offers itself additional rights on the device, in addition to secure accessibility and launch permissions.
The malicious operation also has permission capabilities like it can steal screenshots, intercept notifications and SMS messages, record boot operations, scroll, take screenshots, copy and paste hardware, sweeping, performing long pushes and giving its operators remote control capabilities using a Virtual Networked Computing System (VNC).
BleepingComputer said, “To circumvent MFA protections, it abuses the Accessibility API to click confirmation prompts on incoming alerts about suspicious login attempts, sends the OTP to C2 and automatically populates it.”
The report adds, “Additionally, the malware can steal MFA codes from Google Authenticator and perform this action on demand, opening the authenticator app independently of the user.
Read also: The Apple M1 chip has a security flaw that cannot be fixed
Hiding MaliBot Behind Crypto Mining App
MaliBot commands and controls are discovered in Russia. As reported by F5 Labs, it appears to use the same servers used in the Sality virus distribution. Since June 2020, this IP address has been the source of many different campaigns.
This Android malware spreads to victims through the use of websites that promote bitcoin apps in the form of APKs. Victims fall into the trap of manually downloading and installing these apps on their devices, thinking that they have installed a legitimate app.
However, these websites are replicas of legitimate projects, such as TheCryptoApp, which has over a million downloads on the Google Play Store. Although if the users are already infected with the malware, most likely the website or apps they will access will be a cloned website.
In yet another campaign, the malware is distributed in the guise of an application known as Mining X. Victims are tricked into scanning a QR code in order to obtain the dangerous APK file.
MaliBot poses the greatest risk to customers of Spanish and Italian financial institutions, but users should anticipate that it will eventually expand its reach to encompass a wider variety of potential victims. In other words, it has the potential to be used for more varied malicious purposes, such as stealing sensitive information and cryptocurrency assets.
MaliBot is expected to enter circulation soon, which could increase the destructive potential of the new malware.
Related article: 46,000 Americans Say They Lost Over $1 Billion to Crypto Scams