DroidBot Malware Targets Banking And National Organizations Across Europe

Image by Freepik

DroidBot Malware Targets Banking And National Organizations Across Europe

Reading time: 2 min

Security analysts at Cleafy have uncovered a sophisticated Android Remote Access Trojan (RAT) named DroidBot, identified as part of a Malware-as-a-Service (MaaS) operation originating from Turkey.

In a Rush? Here are the Quick Facts!

  • DroidBot is a new Android Remote Access Trojan (RAT) targeting 77 global entities.
  • It uses MQTT and HTTPS for stealthy communication and command delivery.
  • The malware exploits Android’s Accessibility Services for keylogging and overlay attacks.

First traced back to June 2024 and actively observed in October, DroidBot demonstrates advanced capabilities and a growing geographical impact, particularly in Europe.

DroidBot is a type of spyware that combines methods like hidden screen access and fake login screens to steal personal data. it sends stolen data through a method designed for smart devices and receives commands through secure websites, making it harder to detect.

Some of its tricks include recording what you type to capture passwords, creating fake login screens to steal your information, taking screenshots of your phone to spy on your activity, and even controlling your phone remotely to mimic your actions.

It takes advantage of Android’s Accessibility Services, which users often unknowingly grant during installation. Disguised as harmless apps like security tools or banking apps, DroidBot tricks people into downloading it.

DroidBot targets 77 organizations, including banks, cryptocurrency exchanges, and national entities. Campaigns have been observed in the UK, France, Spain, Italy, and Portugal, with indications of expansion into Latin America.

Language preferences in the malware’s code and infrastructure suggest Turkish-speaking developers.

Ongoing development is evident, with inconsistencies in root checks, obfuscation levels, and unpacking processes across samples. These variations indicate efforts to refine the malware and adapt it to different environments.

DroidBot operates within a MaaS framework, where affiliates pay for access to its infrastructure. Cleafy identified 17 affiliate groups using the same MQTT server, indicating collaboration or demonstrations of the malware’s capabilities.

Advertised on Russian-speaking hacking forums, the service includes advanced features like Automated Transfer Systems (ATS) for financial fraud and costs affiliates $3,000 monthly.

DroidBot’s sophistication, supported by encryption routines and MQTT-based communication, positions it as a significant cyber threat. Its MaaS model, ongoing development, and ability to bypass two-factor authentication raise concerns for financial institutions and governments.

As DroidBot continues to evolve, security experts stress vigilance and enhanced protective measures for organizations in affected regions.

Did you like this article? Rate it!
I hated it I don't really like it It was ok Pretty good! Loved it!

We're thrilled you enjoyed our work!

As a valued reader, would you mind giving us a shoutout on Trustpilot? It's quick and means the world to us. Thank you for being amazing!

Rate us on Trustpilot
0 Voted by 0 users
Title
Comment
Thanks for your feedback
Loader
Please wait 5 minutes before posting another comment.
Comment sent for approval.

Leave a Comment

Loader
Loader Show more...