While tracking the mobile banking trojan FluBot, F5 Labs recently discovered a new strain of Android malware which we have dubbed “MaliBot”. While its main targets are online banking customers in Spain and Italy, its ability to steal credentials, cookies, and bypass multi-factor authentication (MFA) codes, means that Android users all over the world must be vigilant. Some of MaliBot’s key characteristics include:
- MaliBot disguises itself as a cryptocurrency mining app named “Mining X” or “The CryptoApp”, and occasionally assumes some other guises, such as “MySocialSecurity” and “Chrome”
- MaliBot is focused on stealing financial information, credentials, crypto wallets, and personal data (PII), and also targets financial institutions in Italy and Spain
- Malibot is capable of stealing and bypassing multi-factor (2FA/MFA) codes
- It includes the ability to remotely control infected devices using a VNC server implementation
This article is a deep dive into the tactics and techniques this malware strain employs to steal personal data and evade detection.
MaliBot’s command and control (C2) is in Russia and appears to use the same servers that were used to distribute the Sality malware. Many campaigns have originated from this IP since June of 2020 (see Indicators of Compromise). It is a heavily modified re-working of the SOVA malware, with different functionality, targets, C2 servers, domains and packing schemes.
MaliBot has an extensive array of features:
- Web injection/overlay attacks
- Theft of cryptocurrency wallets (Binance, Trust)
- Theft of MFA/2FA codes
- Theft of cookies
- Theft of SMS messages
- The ability to by-pass Google two-step authentication
- VNC access to the device and screen capturing
- The ability to run and delete applications on demand
- The ability to send SMS messages on demand
- Information gathering from the device, including its IP, AndroidID, model, language, installed application list, screen and locked states, and reporting on the malware’s own capabilities
- Extensive logging of any successful or failed operations, phone activities (calls, SMS) and any errors
Distribution of MaliBot is performed by attracting victims to fraudulent websites where they are tricked into downloading the malware, or by directly sending SMS phishing messages (smishing) to mobile phone numbers.
The malware authors have so far created two campaigns– “Mining X” and “TheCryptoApp” – each of which has a website with a download link to the malware (see Campaign Screenshots in the Appendix).
TheCryptoApp campaign attempts to trick people into downloading their malware instead of the legitimate TheCryptoApp – a cryptocurrency tracker app with more than 1 million downloads in the Google Play Store.1
For stealth and targeting purposes, the download link will direct the user to the malware APK only if the victim visits the website from an Android device, otherwise, the download link will refer to the real TheCryptoApp app in the play store (see Figure 1 and Figure 2 ).
The Mining X campaign is not based on any actual application in the Google Play store, but instead presents a QR code that leads to the malware APK.
Smishing is commonly used among mobile banker-trojans because it allows the malware to spread in a fast and controllable way, and in this case, MaliBot is no different. MaliBot can send SMS messages on-demand, and once it receives a “sendsms” command containing a text to send and a phone list from the C2 server, MaliBot sends the SMS to each phone number (Figure 3).
MaliBot’s C2 IP has been used in other malware smishing campaigns since June 2020, which raises questions about how the authors of this malware are related to other campaigns (see Campaign Screenshots).
How MaliBot Works
Android ‘packers’ are becoming increasingly popular with malware developers since they allow native code to be encrypted within the mobile app making reverse engineering and analysis much more difficult. Using the Tencent packer, MaliBot unpacks itself by decrypting an encrypted Dex file from the assets and loading it in runtime using MultiDex. We have a detailed analysis on the Tencent packer in the “Dex decryption” section in our Flubot article. Please note that not all MaliBot samples are packed.
Once loaded, MaliBot contacts the C2 server to register the infected device, then asks the victim to grant accessibility and launcher permissions. MaliBot then registers four services that perform most of the malicious operations:
- Background Service
- Polls for commands from C2
- Handles C2 commands
- Sends device and malware information (such as permissions enabled, phone locked, "VNC" enabled, etc.)
- Send Keep-Alive pings to C2
- Notify Service
- Checks Accessibility permissions, if not granted it sends a notification to enable these permissions and navigates to Settings.
- Accessibility Service
- Implementing a VNC-like functionality using the Accessibility API (see below)
- Grabbing information from screen
- Populate Bus object which saves device’s states
- Screen Capture service
- Responsible for capturing the screen, also used as part of the "VNC" implementation
Four Receivers are registered as well:
- SMS Receiver – interception of SMS messages
- Boot Receiver
- Call Receiver
- Alarm receiver – background service watchdog to intercept calls, register boot activity, and intercept alarms.
Accessibility API Abuse
MaliBot performs most of its malicious operations by abusing Android’s Accessibility API. The Accessibility API is a powerful tool developed to encourage Android developers to build apps accessible for users with additional needs. The Accessibility API allows mobile apps to perform actions on behalf of the user, including the ability to read text from the screen, press buttons and listen for other accessibility events.
However, these powerful functions can also allow attackers to steal sensitive information and manipulate the device to their advantage. Flubot, Sharkbot and Teabot are just a few examples of banking trojans other than MaliBot that abuse the accessibility API. This service also allows mobile malware to maintain persistence. The malware can protect itself against uninstallation and permissions removal by looking for specific text or labels on the screen and pressing the back button to prevent them.
Google’s 2-Step Verification Bypass
Stealing credentials is often not enough to allow an attacker to successfully log in to a victim’s account. Since Google accounts are often enabled with multifactor authentication (also known as two-factor authentication, or in Google’s case, 2-step verification), a prompt will be shown on the victim’s devices if an unknown device tries to log in. The prompt will ask the victim to grant or deny the login attempt, then match a number shown on the other device. Once they have used MaliBot to capture credentials, the attackers can authenticate to Google accounts on the C2 server using those credentials, and use MaliBot to extract the MFA codes through the following steps:
- First, it validates the current screen is a Google prompt screen (Figure 4 & Figure 5).
- Using the Accessibility API, the malware clicks on the "Yes" button
- The attacker logs the MFA code shown on the attacker’s device to the C2.
- The malware then retrieves the MFA code that was shown on the attacker’s device from the C2 (Figure 6 & Figure 7).
- MaliBot then clicks on the correct button on the screen by matching the buttons’ value against the number retrieved from the C2 server (Figure 8 and Figure 9).