Information stealing Trojan, codenamed MaliBot of F5 Labs, has many of the same features as its counterparts, allowing it to steal credentials and cookies, bypass multi-factor authentication (MFA) codes, and abuse Android Accessibility Services for tracking victim’s device screen.
MaliBot is known to mainly disguise itself as cryptocurrency mining apps like Mining X or The CryptoApp that are distributed through phishing websites designed to lure potential visitors to download.
It also takes another leaf out of the mobile banking trojan game in that it uses polishing as a distribution vector to develop malware by accessing the contacts of an infected smartphone and sending SMS messages that contain links to malware.
“Command and control by MaliBot (C2) in Russia and apparently using the same servers that were used to deliver the Sality malware,” said F5 Labs researcher Dor Nizar. “This is a remake of the heavily modified SOVA malware, with different functions, targets, C2 servers, domains, and packaging scheme.”
SOVA (meaning “Owl” in Russian), first discovered in August 2021, is notable for its ability to conduct overlay attacks, which work by displaying a phishing page using a WebView with a link provided by the C2 server if the victim opens a banking application that is on its active target list.
Some of the banks targeted by MaliBot using this approach include UniCredit, Santander, CaixaBank and CartaBCC.
Accessibility service is a background service that runs in Android devices to assist users with disabilities. It has long been used by spyware and trojans to capture device content and intercept credentials entered by unsuspecting users on other apps.
Besides being able to get your account’s password and cookies Google of victims, the malware is designed to scan 2FA codes from the Google Authenticator app as well as filter sensitive information such as total balances and root phrases from the Binance and Trust Wallet apps.
Furthermore, Malibot has the ability to weaponize its access to the Accessibility API to defeat Google’s two-factor authentication (2FA) methods, such as Google’s prompts, even in cases of attempt to log into the account using credentials stolen from a previously unknown device.
“The versatility of the malware and the control it gives attackers on the device means it could, in principle, be used for a wide range of purposes,” the researchers said. attacks rather than stealing credentials and cryptocurrencies,” the researchers said.
“In fact, any application that uses WebView can have user credentials and cookies stolen.”