More than 77 banking institutions, cryptocurrency exchanges and national organizations have been targeted by a newly discovered Android Remote Access Trojan (RAT) called DroidBot.
“DroidBot is a state-of-the-art RAT that combines stealthy VNC and overlay attack techniques with spyware-like capabilities such as keyboard and UI monitoring,” Cleafy researchers Simone Mattia, Alessandro Strina, and Federico Valentini said.
“What’s more, it uses two-channel communication when transmitting output data MQTT and receiving incoming commands over HTTPS, providing increased operational flexibility and resiliency.”
An Italian fraud prevention company said it discovered the malware in late October 2024, although there is evidence to suggest it has been operating since at least June, operating on a malware-as-a-service (MaaS) model for a monthly fee of 3000 dollars.
At least 17 affiliate groups were found to be paying for access to the offer. This also includes access to a web panel from where they can modify the configuration to create custom APK files with embedded malware, as well as interact with infected devices by issuing various commands.
Campaigns using DroidBot were mainly observed in Austria, Belgium, France, Italy, Portugal, Spain, Turkey and the UK. Malware disguises itself as common security programs, Google Chrome, or popular banking apps.
While malware relies heavily on abuse Android accessibility services to collect sensitive data and remotely control an Android device, it differs in that it uses two different protocols for command and control (C2).
Specifically, DroidBot uses HTTPS for incoming commands, while outgoing data from infected devices is transmitted using a messaging protocol called MQTT.
“This separation increases its operational flexibility and resilience,” the researchers noted. “The MQTT broker used by DroidBot is organized into specific topics that classify the types of communication between infected devices and the C2 infrastructure.”
The exact origin of the threat actors behind the operation is unknown, although analysis of the malware samples showed them to be Turkish-speaking.
“The malware presented here may not shine from a technical point of view, as it is very similar to known malware families,” the researchers noted. “However, what really stands out is its operating model, which closely resembles a malware-as-a-service (MaaS) scheme – something that is not typically seen in this type of threat.”
