DroidBot Malware Targets Banking And National Organizations Across Europe

Security analysts at Cleafy have uncovered a sophisticated Android Remote Access Trojan (RAT) named DroidBot, identified as part of a Malware-as-a-Service (MaaS) operation originating from Turkey.

First traced back to June 2024 and actively observed in October, DroidBot demonstrates advanced capabilities and a growing geographical impact, particularly in Europe.

DroidBot is a type of spyware that combines methods like hidden screen access and fake login screens to steal personal data. it sends stolen data through a method designed for smart devices and receives commands through secure websites, making it harder to detect.

Some of its tricks include recording what you type to capture passwords, creating fake login screens to steal your information, taking screenshots of your phone to spy on your activity, and even controlling your phone remotely to mimic your actions.

It takes advantage of Android’s Accessibility Services, which users often unknowingly grant during installation. Disguised as harmless apps like security tools or banking apps, DroidBot tricks people into downloading it.

DroidBot targets 77 organizations, including banks, cryptocurrency exchanges, and national entities. Campaigns have been observed in the UK, France, Spain, Italy, and Portugal, with indications of expansion into Latin America.

Language preferences in the malware’s code and infrastructure suggest Turkish-speaking developers.

Ongoing development is evident, with inconsistencies in root checks, obfuscation levels, and unpacking processes across samples. These variations indicate efforts to refine the malware and adapt it to different environments.

DroidBot operates within a MaaS framework, where affiliates pay for access to its infrastructure. Cleafy identified 17 affiliate groups using the same MQTT server, indicating collaboration or demonstrations of the malware’s capabilities.

Advertised on Russian-speaking hacking forums, the service includes advanced features like Automated Transfer Systems (ATS) for financial fraud and costs affiliates $3,000 monthly.

DroidBot’s sophistication, supported by encryption routines and MQTT-based communication, positions it as a significant cyber threat. Its MaaS model, ongoing development, and ability to bypass two-factor authentication raise concerns for financial institutions and governments.

As DroidBot continues to evolve, security experts stress vigilance and enhanced protective measures for organizations in affected regions.