company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

DroidBot

Spyware

loading..
loading..
loading..

New DroidBot Spyware Targets Banking Apps, Crypto Platforms Worldwide

Discover DroidBot, an advanced Android malware redefining threats with MaaS tactics, targeting 77 entities globally. Learn how to stay protected.

08-Dec-2024
5 min read

Threat Intelligence and Research (TIR) team has uncovered DroidBot, an advanced Android Remote Access Trojan (RAT) leveraging cutting-edge techniques to target financial institutions, cryptocurrency exchanges, and national organizations. Discovered in late October 2024, DroidBot introduces a sinister combination of espionage and fraud capabilities, underscoring the escalating sophistication of mobile malware threats.


What is DroidBot?

DroidBot is a sophisticated Android RAT that combines traditional techniques like hidden VNC and overlay attacks with advanced spyware-like functionalities such as:

  • Keylogging: Intercepting sensitive user input such as login credentials.
  • User Interface Monitoring: Monitoring activities on the infected device.
  • Dual-Channel Communication:
    • Outbound data transmitted through MQTT (Message Queuing Telemetry Transport).
    • Inbound commands received via HTTPS for enhanced resilience.

Its infrastructure reflects a Malware-as-a-Service (MaaS) model, enabling affiliates to customize and deploy the malware easily. This emerging trend poses a substantial threat to cybersecurity globally.


Key Features of DroidBot

1. Advanced Capabilities

  • Overlay Attacks: Displaying fake login screens over legitimate apps to steal user credentials.
  • Remote VNC Access: Periodic screenshots and real-time device control for continuous monitoring.
  • Screen Interaction: Simulates user actions such as form filling and navigation, allowing complete remote device manipulation.

2. Unique Communication Methods

DroidBot employs the MQTT protocol for outbound data transmission, a rarity in Android malware. MQTT’s lightweight and efficient design, commonly used in IoT and real-time messaging systems, makes it uniquely suited for malware like DroidBot to achieve seamless and low-profile communication, bypassing traditional detection mechanisms. By dynamically retrieving the MQTT broker’s address via a remote encrypted request, DroidBot achieves stealth and resilience.

3. Inconsistent Development Features

Ongoing development efforts include:

  • Placeholder functions such as root checks.
  • Multi-stage unpacking for added obfuscation.
  • Varying levels of feature implementation across samples.

Targets and Impact

Affected Regions and Entities

DroidBot’s current campaigns target 77 entities across:

  • United Kingdom
  • France
  • Italy
  • Spain
  • Portugal

Geopolitical Links

Evidence suggests Turkish-speaking developers are behind DroidBot, as revealed through language settings in the malware’s code, environmental metadata from shared screenshots, and operational patterns tied to Turkish domains. These clues collectively highlight the expertise and intent of the developers to extend their geographical reach. Notably, targeted users span languages and regions including English, Italian, Spanish, and Turkish.

Noteworthy Metrics

  • Countries Impacted: UK, France, Turkey, Germany, and Italy.
  • Distinct Infected Devices: Over 776 unique IDs.
  • Most Affected Region: United Kingdom.

Operational Infrastructure: Malware-as-a-Service (MaaS)

DroidBot’s MaaS model introduces a new dimension in mobile malware:

  • Builder Tool: Facilitates creation of customized malware builds for affiliates.
  • Affiliate Network: 17 distinct botnet operators collaborate through shared MQTT servers.
  • Subscription Model: Offers services via a Telegram channel, priced at $3,000/month.

This setup mimics legitimate Software-as-a-Service platforms, enhancing scalability and complicating detection efforts.


Technical Analysis

Malware Delivery

DroidBot disguises itself as legitimate applications such as:

  • Google services.
  • Security tools.
  • Popular banking apps.

Infection Chain:

  • Side-loading via social engineering tactics remains the primary attack vector.

Command-and-Control (C2) Communication

DroidBot’s C2 infrastructure leverages encrypted MQTT topics for structured data exchange. Each topic categorizes communication types, ensuring modularity and adaptability for future updates.

Encryption Process:

  1. Serialisation: Clear-text message converted to byte array.
  2. XOR Encryption: Encrypted using a predefined dynamic key.
  3. Compression: Further obfuscated via zlib.
  4. Transmission: Sent securely through MQTT.

Threat Actor Attribution

Turkish Origins

Evidence from Telegram channels, environmental clues, and domain analysis ties DroidBot’s developers to Turkey. An operational slip revealed:

  • Turkish operating system language settings.
  • Weather details from Ankara matching specific timeframes.

Underground Forums

A prominent Russian-speaking forum post dated October 12, 2024, unveiled DroidBot’s MaaS offering. The post highlighted:

  • Claims of experienced malware development.
  • Comprehensive packages including crypters and server access.
  • No restrictions on targeting CIS regions.

Implications

DroidBot’s evolution and MaaS model signify:

  • Increased Fraud Risks: Expanding target scope to financial institutions and cryptocurrency exchanges.
  • Operational Challenges: Affiliates’ ability to generate unique builds complicates detection.
  • Geographical Expansion: Emerging threats in Latin America and beyond.

Recommendations

For Financial Institutions:

  • Enhance monitoring of Accessibility Service abuse.
  • Deploy proactive detection for overlay attacks and VNC-based exploits.

For CERTs and Governments:

  • Strengthen international collaboration to dismantle MaaS networks.
  • Increase user awareness of side-loading risks.

For General Users:

  • Avoid downloading apps from unverified sources.
  • Regularly review app permissions and revoke unnecessary access.

Conclusion

DroidBot represents a paradigm shift in mobile malware by merging technical sophistication with a Malware-as-a-Service (MaaS) model, contrasting with earlier threats that were more isolated and lacked scalable affiliate infrastructures. This shift amplifies its reach and impact, complicating detection and defense efforts. Its ability to seamlessly adapt, infiltrate, and exploit underscores the urgent need for enhanced vigilance and coordinated global cybersecurity efforts. As DroidBot continues to evolve, staying ahead of its tactics will be critical to safeguarding digital ecosystems worldwide.


Appendix: Indicators of Compromise (IOCs)

DroidBot Samples

HashApp Name
fe8d76ba13491c952f7dd1399a7ebf3cChrome
2ce47ed9653a9d1e8ad7174831b3b01bChrome
e6f248c93534d91e51fb079963c4b786Google Play Store

C2 Servers

Domain
dr0id[.]best
k358a192.ala.dedicated.aws.emqxcloud[.]com

Affiliates/Botnets

Names
client0
zoouzz