DroidBot, a remote access Trojan banking malware, is arriving in Italy and other European countries RAT (Remote Access Trojan) For Android devicesdiscovered last October by cybersecurity experts Cleafywhich attacks banking apps to empty their accounts, but also platforms cryptocurrencies And national institutions. Its strength is a combination of advanced techniques, such as keylogging (i.e. the recording of the keys pressed on the keyboard) and the VNC attacks (Virtual Network Computing), which allow remote control of the infected device. DroidBot uses a sophisticated dual-channel communication system, making it difficult to detect and, consequently, also to block. Although it is still in development, it has already targeted users in Italy, France, Spain And other European countrieswith clues that suggest an expansion also in Latin America. According to the experts who discovered it «at the time of analysis, 77 distinct targets were identified».
How DroidBot’s attack on banking apps works
Often distributed in the form of seemingly legitimate apps, such as security tools or Google services, DroidBot leverages Android accessibility services to gain control of the devicesteal credentials and intercept authentication codes. This threat, while not excelling in technical complexity compared to other malware, represents a significant risk due to its diffusion model MaaS (Malware-as-a-Service), which allows several malicious actors to use it for a fee. Speaking of this, Cleafy experts have in fact stated:
The malware presented here may not shine from a technical point of view, as it is quite similar to known malware families. However, what really stands out is its operational model, which closely resembles a Malware-as-a-Service (MaaS) scheme, something not commonly seen in this type of threat. If we recall significant cases such as Sharkbot, Copybara or the more recent Toxic Panda, the infrastructure, code and campaign planning were all managed “in-house”.
Furthermore, DroidBot combines elements of different attack techniques to maximize its effectiveness. Among its most dangerous capabilities we find the superposition of screens (the so-called overlay) to legitimate banking apps to steal credentials, theSMS interception to obtain authentication codes or TAN (Transaction Authentication Number) and the taking screenshots of your device. The malware also allows operators to simulate user interactionsfor example to complete fraudulent banking transactions. These functions are managed remotely through a control panel accessible to MaaS affiliateswhich can customize malware configurations to evade security systems.
A distinctive feature of DroidBot is its dual channel communication system for command and control or C&C. The stolen data is sent via the protocol MQTT (Message Queuing Telemetry Transport), while direct commands are transmitted using the protocol HTTPS (Hypertext Transfer Protocol over Secure Socket Layer). This approach increases the “resilience” of the malware and complicates the detection operations by the security teams of the affected parties.
Experts have also discovered that DroidBot integrates placeholder functions (including such as root checks, different levels of obfuscation and multi-stage unpacking). Let’s “translate” for the layman: these placeholder functions suggest an ongoing development of the malware, which could make it more effective and dangerous, improving its operation in specific contexts.
Who is behind this new cyber threat? According to the analysis performed by cybersecurity experts reveals that the developers of DroidBot are probably Turkish-speaking criminals. Furthermore, it would appear that the “affiliates” who pay approx $3,000 a month for access to the malwarethey can count on a Telegram channel to obtain technical support and share strategies, which further increases the danger of DroidBot and its range of action, which according to experts is very broad, as illustrated by the following map.
How to defend yourself from the RAT trojan that empties your accounts
Since this is a new threat, understand how to defend yourself from DroidBot it will still take some time, so much so that Cleafy’s technical analysis does not contain specific advice in this regard. In any case, a good starting point is to pay maximum attention and avoid clearly improper behavior, for example avoiding installing apps from unofficial sourceseven if these appear to be “safe”. It is also important to have good anti-malware installed on your Android smartphone, do not subject the latter to root procedures and, equally important, make sure your operating system is up to date with the latest security patches available.
