DroidBot Malware Targets Banking And National Organizations Across Europe

Image by Freepik

DroidBot Malware Targets Banking And National Organizations Across Europe

Reading time: 2 min

First published: Dec 5, 2024

Updated 2 times since publishing

Security analysts at Cleafy have uncovered a sophisticated Android Remote Access Trojan (RAT) named DroidBot, identified as part of a Malware-as-a-Service (MaaS) operation originating from Turkey.

In a Rush? Here are the Quick Facts!

  • DroidBot is a new Android Remote Access Trojan (RAT) targeting 77 global entities.
  • It uses MQTT and HTTPS for stealthy communication and command delivery.
  • The malware exploits Android’s Accessibility Services for keylogging and overlay attacks.

First traced back to June 2024 and actively observed in October, DroidBot demonstrates advanced capabilities and a growing geographical impact, particularly in Europe.

DroidBot is a type of spyware that combines methods like hidden screen access and fake screens to steal personal data. it sends stolen data through a method designed for smart devices and receives commands through secure websites, making it harder to detect.

Some of its tricks include recording what you type to capture s, creating fake screens to steal your information, taking screenshots of your phone to spy on your activity, and even controlling your phone remotely to mimic your actions.

It takes advantage of Android’s Accessibility Services, which s often unknowingly grant during installation. Disguised as harmless apps like security tools or banking apps, DroidBot tricks people into ing it.

DroidBot targets 77 organizations, including banks, cryptocurrency exchanges, and national entities. Campaigns have been observed in the UK, , Spain, Italy, and Portugal, with indications of expansion into Latin America.

Language preferences in the malware’s code and infrastructure suggest Turkish-speaking developers.

Ongoing development is evident, with inconsistencies in root checks, obfuscation levels, and unpacking processes across samples. These variations indicate efforts to refine the malware and adapt it to different environments.

DroidBot operates within a MaaS framework, where s pay for access to its infrastructure. Cleafy identified 17 groups using the same MQTT server, indicating collaboration or demonstrations of the malware’s capabilities.

d on Russian-speaking hacking forums, the service includes advanced features like Automated Transfer Systems (ATS) for financial fraud and costs s $3,000 monthly.

DroidBot’s sophistication, ed by encryption routines and MQTT-based communication, positions it as a significant cyber threat. Its MaaS model, ongoing development, and ability to by two-factor authentication raise concerns for financial institutions and governments.

As DroidBot continues to evolve, security experts stress vigilance and enhanced protective measures for organizations in affected regions.

Did you like this article? Rate it!
I hated it I don't really like it It was ok Pretty good! Loved it!

We're thrilled you enjoyed our work!

As a valued reader, would you mind giving us a shoutout on Trustpilot? It's quick and means the world to us. Thank you for being amazing!

Rate us on Trustpilot
0 Voted by 0 s
Title
Comment
Thanks for your
Loader
Please wait 5 minutes before posting another comment.
Comment sent for approval.

Leave a Comment

Loader
Loader Show more...