A newly discovered form of Android malware steals users’ passwords, banking information, and cryptocurrency wallets — and does so by bypassing multi-factor authentication protections.
The malware has been detailed by cybersecurity researchers at F5 Labs, which it named MaliBot. It’s the last in one series of powerful malware targeting Android users†
In addition to remotely stealing passwords, banking information, and cryptocurrency wallets, MaliBot can also access text messages, steal web browser cookies, and take screenshots of infected Android devices. It can also come around multi-factor authentication (MFD) – one of the most important defense mechanisms for cybersecurity people can use to protect themselves from cyber criminals.
Like many Android malware threats, MaliBot is spread by sending phishing messages to users’ phones via text messages (smishing) or luring victims to fraudulent websites. In both cases, victims are encouraged to click a link, which downloads malware to their phone.
So far, researchers have found two malicious websites used to distribute MaliBot – one is a fake version of a legitimate cryptocurrency tracker app with over a million downloads from the Google Play Store.
After being downloaded, MaliBot secretly asks the victim to: grant accessibility and boot permissions it requires to monitor the device and perform malicious operations. This includes stealing sensitive information such as passwords and banking details, as well as manipulating the device to force the victim to provide additional information – something it does by stealing multi-factor authentication codes.
Google Android users are encouraged to use two-step verification, designed to protect accounts from intruders access, even if the password is known – but the cybercriminals behind MaliBot know this and have come up with a way around it.
Once MaliBot has captured the credentials on the device, it can bypass multi-factor authentication by using the accessibility permissions, by clicking the ‘Yes’ button on the prompt asking if the user tries to log in. If a user sees this, he or she may find it suspicious, but the access granted to MaliBot may hide an overlay over the prompt so it won’t be seen.
MaliBot also uses a similar technique to bypass additional protections cryptocurrency walletsallowing the attackers to steal Bitcoin or other cryptocurrencies from accounts associated with the infected Android smartphone.
In addition to stealing sensitive information and currency from the victim, MaliBot also comes equipped with the ability to send text messages that can be used to infect others with the malware — a tactic similar to those used FluBot malware to become so successful.
Currently, the MaliBot campaign focuses solely on customers of Spanish and Italian banks, but researchers warn that “we can expect a wider range of targets from the app over time”.
While the malware is aimed at stealing banking information and cryptocurrency, it warns that MaliBot’s powerful capabilities, which allow control over an infected device, “could be used for a wider range of attacks than stealing credentials and cryptocurrency.”
To avoid falling victim to MaliBot or other Android malware attacks, users should be wary of following links in unexpected text messages and be careful when downloading apps from third-party websites.
Users should also be aware of the risks associated with enabling accessibility options – although they are used legitimately, they are also widely abused by cyber criminals.