F5 Labs discovers new strain of Android malware targeting online banking customers

22

MaliBot steals credentials, cookies, and bypasses multi-factor authentication (MFA) codes

While tracking the mobile banking trojan FluBot, F5 Labs recently discovered “MaliBot”, a new strain of Android malware.

While its main targets are online banking customers in Spain and Italy, its ability to steal credentials, cookies, and bypass multi-factor authentication (MFA) codes, means that Android users all over the world must be vigilant. Key characteristics include:

MaliBot disguises itself as a cryptocurrency mining app named “Mining X” or “The CryptoApp”, and occasionally assumes some other guises, such as “MySocialSecurity”and “Chrome”.
MaliBot is focused on stealing financial information, credentials, crypto wallets, and personal data (PII), and also targets financial institutions in Italy and Spain.
Malibot is capable of stealing and bypassing multi-factor (2FA/MFA) codes.
It includes the ability to remotely control infected devices using a VNC server implementation.
MaliBot is most obviously a threat to customers of Spanish and Italian banks, but F5 Labs expects a broader range of targets to be added to the app as time goes on.

In addition, the versatility of the malware and the control it gives attackers over the device mean that it could, in principle, be used for a wider range of attacks than stealing credentials and cryptocurrency. In fact, any application which makes use of WebView is liable to having the users’ credentials and cookies stolen.

“This research by F5 Labs serves as a reminder to both mobile app developers and users of the need to stay alert to the threat of malware and avoid becoming a victim of mobile banking fraud,” said Mohammed AbuKhater, Vice President for the Middle East & Africa at F5.

“Users should follow best security practice, ensuring that their Android devices only install apps from vetted marketplaces, such as Google Play. We strongly discourage the installation of apps from websites, particularly if you received a link to this site via email or SMS message. Users must also understand the risk of granting powerful permissions, such as Accessibility, to any app they install. In addition, developers need to take heed of the fact that sophisticated malware is increasingly able to sidestep 2-factor authentication and build additional layers of security into applications, particularly those granting access to financial accounts.”

The F5 Labs 2022 Application Protection Report also noted that while the rise of ransomware has been the most dramatic attacker trend in the last two years, 2021 also saw a more subtle rise in malware infections that exfiltrated data without pursuing encryption and a ransom. Such a capable and versatile example of mobile malware serves as a reminder that the attack trends du jour are never the only threat worth paying attention to.