MaliBot Trojan Targets Online Banking and Cryptocurrency Wallets

Risk:
high
Damage:
high
Platform(s):
Web Servers Systems Networks Mobile Networks and Telephones
Advisory ID:
ngCERT-2022-0083
Version:
N/A
CVE:
N/A
Published:
June 29, 2022

Summary


Malibot is an information-stealing Trojan that is being spread in the form of legitimate cryptocurrency apps for Android smartphones. It targets online banking apps and crypto wallets with the aim of pilfering Personally Identifiable Information (PII) and other user credentials. Other functionality of this Trojan include the ability to start and delete apps, web-injections and overlay attacks.

Description & Consequence


The primary mode of distribution is via shady cryptocurrency websites that try to get the intended victim to manually download apps in the form of APKs to install on their devices. There is also an ongoing smishing (phishing via SMS) campaign to garner app installs. Upon installation, the malicious app will seek permissions which will include the Accessibility API. Gaining access to the Accessibility API allows the malware to remain persistent on the infected device and perform actions without the need for user interaction. The malware will then connect to the Command-and-Control (C2) server and send out a list of apps installed on the infected device. The goal is to determine which banking apps the victim is using so that the C2 can send matching overlays of the login screen to facilitate credential theft. The malware has been found in clones of legitimate applications such as TheCryptoApp and a bogus cryptocurrency mining app called Mining X.

Some of the adverse effects of Malibot are siphoning of credentials and cookies, registering boot activities, and giving threat actors remote control access via Virtual Network Computing (VNC). With remote control access they can take screenshots, copy and paste information, navigate the device, etc. Malibot can also circumvent Multi-Factor Authentication (MFA) safeguards by intercepting suspicious login attempts notifications and confirming they’ve been read, while sending the One-Time Password (OTP) to its C2.

Solution


  1. Avoid downloading apps from unofficial sources, particularly APKs, which can only be installed by unchecking the "only install from trusted sources" option in your device's settings menu.
  2. Do not grant apps permissions arbitrarily.
  3. Do not respond to unsolicited text messages (SMS) and exercise caution when clicking on links.
  4. Never divulge personally identifiable information (PII).

Reference


Revision


Related Articles