New Android Malware Strain Pretends to be Chrome Web Browser or a Crypto Mining App

Android malware named MaliBot disguises itself as Chrome and the Crypto Mining App to exploit victims financially.

Cybersecurity researchers have uncovered a new piece of banking malware for Android identified as MaliBot. This malware pretends to be an application for cryptocurrency mining or the Chrome web browser.

MaliBot is primarily working on collecting personal information and financial data such as credentials for online banking services, passwords for cryptocurrency wallets, and other sensitive information.

MaliBot

MaliBot, the newly detected strain of Android malware, was just recently detected. This was discovered while the mobile banking trojan FluBot was being investigated. Users of online banking services in Spain and Italy are the primary targets of this malware. Upon discovery, it was found that this malware has some serious and threatening implications.

BleepingComputer reported that the bot has the power to steal credentials and cookies and get around multi-factor authentication (MFA) codes. This only means Android users around the world should be on the lookout for suspicious activity. After installation, the corruption of MaliBot, it offers itself extra rights on the device, in addition to securing accessibility and launcher permissions.

The malicious operation also has authorization capabilities, like it can steal screenshots, intercept notifications and SMS messages, log boot operations, scroll, take screenshots, copy and paste material, swipe, conduct long pushes, and give its operators remote control capabilities using a Virtual Network Computing (VNC) system.

BleepingComputer stated, "To bypass MFA protections, it abuses the Accessibility API to click on confirmation prompts on incoming alerts about suspicious login attempts, sends the OTP to the C2, and fills it out automatically."

The report added, "Additionally, the malware can steal MFA codes from Google Authenticator and perform this action on-demand, opening the authentication app independently from the user."

MaliBot Masking Behind Crypto Mining App

MaliBot's commands and controls are discovered in Russia. As reported by F5 Labs, it appears to make use of the same servers as those utilized in the distribution of the Sality virus. Since June of 2020, this IP address has been the source of many different campaigns.

This Android malware is spread to victims through the use of websites that promote bitcoin applications in the form of APKs. Victims fall for this by manually downloading and installing these apps on their devices, thinking they have installed a legitimate app.

However, these websites are replicas of legitimate projects, such as TheCryptoApp, which has over a million downloads on the Google Play Store. Although if the users are already infected by the malware, most probably, the website or apps they will access will be a cloned website.

In yet another campaign, the malicious software is distributed in the guise of an application known as Mining X. The victims are duped into scanning a QR code in order to obtain the dangerous APK file.

MaliBot poses the greatest risk to clients of Spanish and Italian financial institutions, but users should anticipate that it will eventually expand its scope to encompass a wider variety of potential victims. In other words, it has the potential to be used for a wider variety of malicious purposes, such as stealing sensitive information and cryptocurrency assets.

It is anticipated that MaliBot will soon enter circulation, which may increase the destructive potential of the novel malware.

© 2024 iTech Post All rights reserved. Do not reproduce without permission.

More from iTechPost

Real Time Analytics