A new banking Trojan for Android has appeared on the cyber threat landscape — DroidBot. Once on a smartphone, the malware can extract credentials not only from banking applications, but also from crypto wallets.
The DroidBot attacks were pointed out by specialists from the Cleafy company, according to whom the Trojan operators had been active since June 2024.
The malware's authors distribute it using the "malware as a service" (MaaS) model and ask for $3,000 per month for the opportunity to use DroidBot in cyberattacks without restrictions.
Researchers have counted at least 17 cyber groups that have subscribed to MaaS and developed their own custom payloads to attack specific victims.
Despite lacking any outstanding or sophisticated functionality, DroidBot managed to infect 776 devices in the UK, Italy, France, Germany and Turkey.
Cleafy believes that the new Android banking Trojan is currently in development, and the operators are planning to expand the geography of attacks in the near future.
Apparently, the DroidBot developers live in Turkey. They are behind the creation of not only the malware builder itself, but also C2 servers with an admin panel. The latter allows you to control all campaigns and obtain compromised data.
DroidBot often disguises itself as legitimate software such as Google Chrome, Google Play Store, or Android Security.
Among its functional capabilities, experts note the following:
The DroidBot attacks were pointed out by specialists from the Cleafy company, according to whom the Trojan operators had been active since June 2024.
The malware's authors distribute it using the "malware as a service" (MaaS) model and ask for $3,000 per month for the opportunity to use DroidBot in cyberattacks without restrictions.
Researchers have counted at least 17 cyber groups that have subscribed to MaaS and developed their own custom payloads to attack specific victims.
Despite lacking any outstanding or sophisticated functionality, DroidBot managed to infect 776 devices in the UK, Italy, France, Germany and Turkey.
Cleafy believes that the new Android banking Trojan is currently in development, and the operators are planning to expand the geography of attacks in the near future.
Apparently, the DroidBot developers live in Turkey. They are behind the creation of not only the malware builder itself, but also C2 servers with an admin panel. The latter allows you to control all campaigns and obtain compromised data.
DroidBot often disguises itself as legitimate software such as Google Chrome, Google Play Store, or Android Security.
Among its functional capabilities, experts note the following:
- Keylogging: the malware reads the keystrokes of the virtual keyboard;
- Overlaying of own windows: the Trojan displays fake data entry forms on top of legitimate applications;
- SMS Interception: Extracts one-time codes from incoming text messages.
