A newly identified Android malware called DroidBot has been stealing credentials from over 77 cryptocurrency exchanges and banking apps in the UK, Italy, France, Spain, and Portugal since June 2024. Researchers from Cleafy revealed that DroidBot operates as a malware-as-a-service (MaaS) platform, costing $3,000 per month, and has attracted at least 17 affiliate groups that customize it to target specific regions and apps.
Though it lacks advanced features, DroidBot has infected 776 devices across multiple countries and is expanding to new regions like Latin America. It masquerades as legitimate apps like Google Chrome or Android Security to deceive users, then leverages Android Accessibility Services to execute keylogging, overlay fake login pages, intercept SMS messages (including OTPs), and remotely control devices via a VNC module.
The malware is distributed through a centralized platform offering detailed support, tools, and updates, lowering the technical barrier for affiliates. To protect against DroidBot, users should only download apps from trusted sources, carefully review permissions, and ensure Play Protect is enabled.
Read more...