A new banking malware is threatening Android smartphone users. Cleafy researchers have indeed detected the presence of a new virus, called DroidBot, at the end of October 2024. According to the investigation carried out by experts from the Milan-based company specializing in the fight against online fraud, DroidBot has been active since June 2024.
The malware is marketed by Turkish hackers as part of a "Malware-as-a-Service" subscription (MaaS). This type of offer allows cybercriminals to pay to use malware in exchange for temporary or limited access. In this case, the malware is available for the sum of $3,000 per month. At least 17 gangs have affiliated themselves with DroidBot to use it in their attacks.
The 8 banks in France in DroidBot's sights
According to Cleafy, DroiBot is designed to attack users of "77 separate entities", including banks, financial institutions or cryptocurrency exchange platforms. These include exchanges like Binance, KuCoin, Kraken, OkCoin or a wallet like Kraken. Other targets of the virus include several French banks:
- Boursorama
- BNP Paribas
- Crédit Agricole
- Axa Banque
- Caisse d’Épargne
- Banque Populaire
- ING
- Société Générale
If you are a customer of these banks, we encourage you to be extra careful. Researchers have also detected several attacks based on DroidBot in France. In fact, Cleafy counted 776 intrusions in the United Kingdom, Italy, France, Turkey and Germany. Spain and Portugal complete the list of the malware’s preferred targets. Four nations, including France, concentrate the majority of attacks.
Faced with the concern of many users regarding this malware, French banks have decided to react. It was therefore the FBF, French Banking Federation, which published a press release this Saturday, December 7. The organization insists on the fact that "this is not a cyberattack against French banks or their applications, but malware that is installed by users on their phones without it having anything to do with a bank." The FBF reminds us that security is a "major issue" for banks and that they "develop extremely effective means to counter fraud methods."
DroidBot's modus operandi
To plunder its targets' bank accounts, DroidBot will first pretend to be one of the applications already installed on their smartphone. In general, DroidBot pretends to be Google Chrome or the Google Play Store to fool users. Sometimes, the virus takes the form of an application called Android Security. This tactic allows convincing victims to download the malware from fraudulent websites or APK files.
Once it's done, DroidBot will do everything it can to steal your sensitive data. For example, the virus will record all the words typed on the keyboard and intercept SMS messages looking for login codes. Above all, it will display a fake malicious window above a banking or financial application. More broadly, DroidBot can allow cybercriminals to view everything on your screen. All these tricks allow them to steal your login details and passwords. With this data, it is easy to get into your account to make transfers without your knowledge.
Mirroring many Android viruses, DroidBot exploits Android's accessibility services. Designed to help visually impaired people use their devices, these services are hijacked by many malicious applications. It is through the access granted by the victim that the virus "allows remote control of the infected device". Hackers can thus simulate "user interactions such as pressing buttons, filling out forms and navigating applications, allowing attackers to use the device as if they were physically present".
DroidBot developers provide their customers with an administration panel. Through it, hackers can organize their attacks and customize DroidBot to target specific applications or use different languages depending on the targets. They also offer support on Telegram and regular updates. Cleafy points to "the sophistication and adaptability of DroidBot."
A virus in evolution
Researchers say that the virus "is still under active development". In the near future, it is likely that the malware will gain new features or manage to target other banks. In addition, there are indications that the developers intend to target other regions of the world, starting with Latin America. Cleafy indicates that there are "continuous efforts to improve the effectiveness of the malware and adapt it to specific environments". We are not at the end of our surprises.
To avoid falling into the trap set by DroidBot, we therefore recommend that you avoid installing applications outside the Play Store at all costs. According to the latest news, the virus has not managed to slip onto the Google platform.
Source: Cleafy
0 Comments