A newly-discovered form of Android malware steals passwords, bank details and cryptocurrency wallets–and bypasses multi-factor authentication protections. This malware, dubbed MaliBot by cybersecurity researchers at F5 Labs, is the latest in a string of malware that targets Android users. (ZDNet, 2022).
This malware remotely steals passwords, bank details, and cryptocurrency wallets, and can also access text messages, steal web browser cookies, & take screen captures from infected Android devices. Alarmingly, the malware has capabilities to circumvent multi-factor authentication.
MaliBot, like a lot of malware, leverages phishing messages for initial access. Specifically, it uses SMS (or smishing) to attract victims to fraudulent websites. The provided links download the MaliBot malware onto the victim's phone.
Researchers have found two malicious websites used to distribute MaliBot. One of the sites is a fake version of a legitimate cryptocurrency tracker app that has more than a million downloads from the Google Play Store.
Once downloaded, the malware covertly asks the victim to grant accessibility and then launches permissions to monitor the device and perform other malicious activities. The malware will also trick victims into giving up multi-factor authentication codes.
“Once MaliBot has captured credentials on the device, it can bypass multi-factor authentication by using the accessibility permissions, to click the 'Yes' button on the prompt asking if the user is trying to sign in. If a user sees this, they might find it suspicious, but the access granted to MaliBot could hide an overlay over the prompt so it isn't seen” (ZDNet, 2022). It's likely that MaliBot uses similar techniques to bypass protection around cryptocurrency wallets.
MaliBot uses compromised devices to send SMS messages to infect other Android devices. A similar technique was used by FluBot, which allowed it to be so successful. MaliBot has mostly targeted victims in Spain and Italy, but researchers expect the malware to spread globally as time goes on. While the malware has been mostly used to steal bank details and cryptocurrency, it has capabilities to carry out other nefarious activities.
To avoid falling victim to MaliBot or other Android malware attacks, users should be wary of following links in unexpected text messages and should be cautious about downloading apps from third-party websites.
Users should also be aware about the risks associated with enabling accessibility options – while they do have a legitimate use, they're also widely abused by cyber criminals.