A new banking Trojan dubbed “Malibot” pretends to be a crypto-mining application designed to be distributed between Android phones. Though currently only active in Spain and Italy, it could start targeting Americans.
While tracking FluBot mobile banking malware, researchers at F5 Labs discovered the new Malibot threat targeting Android phones. Malibot has a number of features and abilities that make it an important threat to consider.
SEE: Mobile Security Policy (TechRepublic Premium)
How is Malibot distributed?
Malibot is currently being distributed by cyber criminals through two different channels.
The first method of distribution is via the Internet: two different websites have been created by scammers called “Mining X” and “TheCryptoApp” (Figure A and Figure B).
The CryptoApp campaign impersonates a legitimate cryptocurrency tracker application. The user will only get infected and get the malware link when browsing from an Android phone. Browsing from another device results in the user getting a legitimate link for the genuine TheCryptoApp application on the Google Play Store. A direct download link is provided for Android users outside of the Google Play Store.
As with the Mining X distribution campaign, clicking the download link on the website will open a window with a QR code to download the application.
The second distribution channel is via smishing, which hits Android phones directly: Malibot can send SMS messages when needed, and as soon as it receives such a command, it sends texts to a phone list provided by the Malibot command and control server.
What data does Malibot steal?
Malibot is designed to steal information such as personal information, credentials, and financial knowledge. To achieve this goal, it is capable of stealing cookies, multi-factor authentication credentials, and crypto wallets.
Malibot has a mechanism for collecting Google account credentials. When the victim opens a Google application, the malware opens a WebView to a Google login page, forcing the user to log in and not allowing the user to click a back button.
Aside from collecting Google account credentials, Malibot is also capable of bypassing Google’s 2FA. When the user tries to connect to their Google account, they are presented with a Google Command Prompt screen, which the malware immediately validates. The 2FA code is sent to the attacker instead of the legitimate user and then retrieved by the malware to validate authentication.
Multiple injections for selected online services
The list of infected device applications is also provided to the attacker by the malware, which allows the attacker to know which application the malware can hook to show an injection instead. An inject is a page that is displayed to the user and perfectly impersonates legitimate (Figure C).
According to F5 Labs, the Malibot is injecting targeted financial institutions in Spain and Italy.
In addition to the method used to steal Google accounts, Malibot can also steal Google Authenticator multi-factor authentication codes if needed. MFA codes sent to the phone via SMS are intercepted and exfiltrated by the malware.
Malibot is able to steal data from Binance and Trust cryptocurrency wallets.
The malware attempts to retrieve the total balance from victims’ wallets for both Binance and Trust and export it to the C2 server.
As with the Trust wallet, Malibot can also collect the seed phrases for the victim, allowing the attacker to later transfer all the funds to another wallet of their choice.
Malibot can send SMS messages when needed. While it primarily uses this ability to spread itself through smishing, it can also send premium SMS that will charge the victim’s cell phone credit if enabled.
How does Malibot gain control of the infected device?
Malibot makes extensive use of Android’s Accessibility API, which allows mobile applications to perform actions on behalf of the user. This allows the malware to steal information and maintain persistence. More specifically, it protects itself from uninstalling and removing permissions by looking at certain text or labels on the screen and pressing the back button to prevent the action.
Malibot: A very active threat
Malibot developers want it to remain undetected and persist on infected devices for as long as possible. In order not to be killed or stopped by the operating system during inactivity, the malware is set as a launcher. Each time its activity is checked, it starts or wakes up the service.
Some additional protections are included in the malware but are not used. F5 researchers found a feature to detect if the malware is running in a simulated environment. Another untapped feature sets the malware as a hidden application.
More Malibot targets are coming, the US could already be hit
While F5 Labs research revealed targets in Spain and Italy, they also found ongoing activity that could point to the cybercriminals targeting American citizens.
A domain used by the same attacker poses as a US tax authority and leads to a “Trust NFT” website (Figure D) offer to download the malware.
Another website using the COVID-19 theme in its domain name leads to the same content. Researchers expect attackers to deploy more malware via these new sites in other parts of the world, including the US
How to protect yourself from Malibot
The malware is only distributed from websites created by cyber criminals and SMS. It is currently not distributed through any legitimate Android platform like Google Play Store.
Never install an application on an Android device that can be downloaded directly with a mouse click. Users should only install applications from trusted and legitimate application stores and platforms. Users should never install applications from a link they receive via SMS.
Install comprehensive security applications on the Android device to protect it from known threats.
When installing an application, permissions should be carefully checked. Malibot malware for SMS sending permissions on first launch, which should raise suspicions.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.