A new Android banking malware, dubbed ‘DroidBot’, has emerged as a significant threat, targeting the credentials of over 77 cryptocurrency exchanges and banking applications across several European nations, including the UK, Italy, France, Spain, and Portugal. Discovered by researchers at Cleafy, this malware has been operational since June 2024 and functions as a malware-as-a-service (MaaS) platform, with a subscription price set at ,000 per month.
In an alarming development, at least 17 affiliate groups have been identified utilizing malware builders to tailor their payloads for specific targets. While DroidBot does not introduce particularly advanced features, an analysis of one of its botnets revealed 776 unique infections across the UK, Italy, France, Turkey, and Germany, indicating a notable level of activity. Cleafy further notes that the malware is currently undergoing extensive development, with indications of plans to expand into new regions, including Latin America.
The DroidBot MaaS operation
The developers behind DroidBot, believed to be based in Turkey, provide affiliates with a comprehensive suite of tools necessary for executing attacks. This arsenal includes a malware builder, command and control (C2) servers, and a centralized administration panel, enabling affiliates to manage their operations, retrieve stolen data, and issue commands seamlessly.
Source: Cleafy
Multiple affiliates share the same C2 infrastructure, each assigned unique identifiers, which has allowed Cleafy to pinpoint 17 distinct threat groups. The payload builder empowers these affiliates to customize DroidBot to target specific applications, utilize various languages, and configure different C2 server addresses.
Moreover, affiliates benefit from detailed documentation, direct support from the malware’s creators, and access to a dedicated Telegram channel for regular updates. This structure effectively lowers the barrier to entry for inexperienced or less-skilled cybercriminals, making participation in the DroidBot operation more accessible.
Source: Cleafy
Impersonating popular apps
DroidBot often disguises itself as trusted applications such as Google Chrome, the Google Play Store, or ‘Android Security’ to deceive users into installing the malicious software. In every instance, it functions as a trojan, aiming to pilfer sensitive information from legitimate applications.
Source: Cleafy
The malware boasts several key features:
- Keylogging – Capturing every keystroke entered by the victim.
- Overlaying – Displaying fake login pages over legitimate banking app interfaces.
- SMS interception – Hijacking incoming SMS messages, particularly those containing one-time passwords (OTPs) used for banking sign-ins.
- Virtual Network Computing – A VNC module that allows affiliates to remotely view and control the infected device, execute commands, and obscure the screen to hide malicious activities.
A critical aspect of DroidBot’s functionality is its exploitation of Android’s Accessibility Services, enabling it to monitor user actions and simulate swipes and taps on behalf of the malware. Users should remain vigilant; if an app requests unusual permissions, particularly concerning Accessibility Services, it is advisable to deny such requests immediately.
Among the 77 applications targeted by DroidBot for credential theft are notable names such as Binance, KuCoin, BBVA, Unicredit, Santander, Metamask, BNP Paribas, Credit Agricole, Kraken, and Garanti BBVA. To protect against this emerging threat, Android users are encouraged to download apps exclusively from Google Play, carefully scrutinize permission requests during installation, and ensure that Play Protect is activated on their devices.
