A new threat has emerged: the DroidBot Android remote access trojan (RAT). Targeting 77 banks, cryptocurrency exchanges, and major organizations, this malware exemplifies the evolving strategies cybercriminals are employing today.

Advanced Capabilities and Techniques

DroidBot stands out for its advanced features, as highlighted by Cleafy's cybersecurity experts Simone Mattia, Alessandro Strino, and Federico Valentini. This sophisticated RAT integrates covert VNC and overlay attack strategies coupled with spyware functionalities such as keylogging and UI monitoring. Notably, it uses dual-channel communication, handling outbound information transfers via MQTT and receiving commands through HTTPS, which enhances its robustness and operational adaptability.

Discovery and Distribution

The Italian fraud prevention firm, Cleafy, uncovered DroidBot in October 2024. Nevertheless, indications are that it has been active since June, offered as malware-as-a-service (MaaS) for a subscription price of $3,000 per month. At least 17 different affiliate groups have accessed DroidBot's services, which includes a web panel feature allowing them to customize APK files and control compromised devices by sending varied commands.

Targeted Regions and Disguise Tactics

DroidBot campaigns have predominantly been detected in countries like Austria, Belgium, France, Italy, Portugal, Spain, Turkey, and the UK. The malware masquerades as legitimate applications, such as security apps, Google Chrome, or popular financial services apps. It exploits Android's accessibility services to collect sensitive data and exert control over devices remotely.

Unique Command-and-Control (C2) Structure

A distinguishing element of DroidBot is its method of command-and-control. Inbound instructions utilize HTTPS, while sensitive data from the devices is sent out using MQTT. Cleafy researchers note this separation bolsters operational flexibility and resilience, with communication segmented into distinct topics through the MQTT broker.

Unknown Origins but Known Methods

While the exact origin of this threat remains elusive, linguistic analysis reveals Turkish-speaking perpetrators. As Cleafy experts observe, although the technical attributes of DroidBot are not groundbreaking, it is its MaaS business model that sets it apart. This model is relatively uncommon for malware of this nature but indicates an innovative approach in spreading such threats.

The link has been copied!