A new, sophisticated Android malware was found targeting online banking and crypto-wallet users in Italy and Spain. The malware, called MaliBot, can exfiltrate user data from compromised devices. It can even grant the hackers complete visibility of the user’s screen by utilizing Android’s Accessibility Service.
MaliBot operates in the same way as other malware involved in crypto and financial scams. Hackers embed the malware into seemingly beneficial apps. In this case, in fraudulent versions of the popular crypto-mining app The CryptoApp, which has over a million downloads on the App Store.
Once a user downloads and opens the app, the malicious code is executed, and the user’s device is compromised. The malware can spread even further through smishing messages sent to contact lists from infected devices.
Here’s how MaliBot can grant user login credentials to the hacker:
- The Trojan scans all installed apps to identify which banking apps the victim uses.
- Once the victim opens the legitimate app, they get a fake login screen overlay created by the hackers.
- When the user enters their login credentials, they are sent directly to the hacker.
Researchers have found that the MaliBot originated in Russia. It uses the same servers as those of the Sality malware. Its most powerful feature is that it can completely bypass 2FA through Android’s Accessibility API. It can steal and transfer confirmation codes from popular authentication apps like Google Authenticator. Hackers can use similar exploits to extract security information from crypto wallets.
How to protect your device from MaliBot
It’s quite scary that this malware can bypass MFA and other standard security features. But that doesn’t mean you’re left entirely at the mercy of attackers. There are several things you can do to prevent a similar attack from taking place on your device. Here are some of the main ones:
Never download apps that seem suspicious
Despite Android’s best efforts, it’s impossible to stop all malicious apps and services from being downloaded, especially since hackers like to hide malicious code in seemingly useful apps. This type of malware is known as a Trojan horse. It can be tough to detect these apps, which is why many people fall for them.
Here are some common signs that an app is malicious:
- It sounds too good to be true;
- You can’t verify the app’s publisher;
- Sketchy messaging.
If an app promises you quick and easy crypto mining, it’s likely a scam. The messaging of these apps is also a bit more aggressive and demanding than usual, which should be a sign that something’s wrong.
Use threat detection tools
Unfortunately, some malware is so well-crafted that even the most security-aware person will have trouble detecting it. That’s where you can deploy a threat detection tool to help you detect dubious apps and delete them before they can do any damage.
Your safest bet is to go for a paid version, as it will have more features to maximize security. For example, NordVPN has a good threat detection tool built into its service. With that said, there are also a few free options that can do a great job. But the free ones often come with loads of advertisements, so be wary of that.
Be careful with app permissions
The only reason MaliBot breached so many devices is that very few people pay attention to the permissions they grant apps when installing them. Read each pop-up you receive carefully and assess whether it makes sense to give that permission to that app. A crypto-mining app has no good reason to request access to your contact list or camera.
Mobile attacks are on the rise
MaliBot is far from the only cyber threat out there. Cybersecurity researchers are seeing a massive surge in mobile attacks in 2022. Both Apple and Android users are targets. But Android’s more open approach to app installations and user privileges makes it more vulnerable to breaches.
Malicious links and downloads embedded into SMS messages are the most common way people fall victim to mobile attacks. Experts urge mobile users to avoid communicating with unknown numbers. Users should also install the latest version of their operating system and apps to limit vulnerabilities.
