Endpoint/Device Security, Malware, Threat Management

MaliBot financial malware is a master of disguise, targets Android users

F5 researchers reported seeing financial malware MaliBot targeting users of Android devices. Pictured: The Google logo is displayed on a Nexus 5X phone on Sept. 29, 2015, in San Francisco. (Photo by Justin Sullivan/Getty Images)

The saying goes that there is strength in numbers. So it’s not surprising that U.S. financial firms and their customers not only need to worry about the sheer volume of malware that is being lobbed at them, but also the emerging threat of these bad applications working more stealthily and in concert.

Case in point: The recently discovered MaliBot malware that has been plaguing Android users, a trojan-like software that when downloaded onto a user’s device steals banking credentials, other legitimate sensitive financial information, cookies, call logs, texts and application addresses, and even Google account credentials (thereby allowing the malware to sidestep two-factor authentication). MaliBot also boosts the cryptocurrency wallets of unaware mobile banking customers to boot.

According to a research paper published by F5 Labs, MaliBot is believed to be related to the popular FluBot trojan, which has long been attacking financial applications in some form or fashion. Nearly a month ago, it was reported that FluBot was “dismantled” in an international takedown operation led by the Dutch police. Before that, FluBot was cited as the second most popular mobile banking trojan malware in the world in the first five months of this year — so seeing elements of it (like the use of SMS-based phishing, and the theft of online banking information) resurrected in MaliBot is not a huge surprise for cyber-industry observers.

However, perhaps the most diabolical element of MaliBot is that it seems to have evolved and improved upon other variants as it can "disguise" itself as fraudulent cryptocurrency applications with largely believable names. Two of the popular campaigns under which MaliBot was disseminated were dubbed "The CryptoApp" and "Mining X" — names of legitimate cryptocurrency mining applications that might easily trick a cryptocurrency user. These ploys have successfully convinced mobile banking and payments users to download the MaliBot Android Package Kit.

Further, MaliBot has layered in aspects like screen overlay, web injection, and stealing and sending text messages and call logs, allowing the malicious program to make an end-run around multi-factor authentication, in many cases. The malware has often been seen being distributed as part of an SMS phishing (or “smishing”) campaign.

And yet another trick up MaliBot’s sleeve is the malware’s ability to search text on the device’s screen that could indicate the user is trying to uninstall or remove permissions for the application, and prevent the mobile banking customers from doing so by toggling to the prior screen. In effort to stay hidden on an infected phone as long as possible, even when the operating system is not active, MaliBot has the capability to relaunch whenever the mobile device activity kicks back on.

Researchers who discovered this advanced financial malware in the wild — largely targeting Android phone users in Spain and Italy. But as recently as last week, researchers tracking this threat agree that if MaliBot campaigns are not already targeting U.S. banks and their customers, it will be soon. They also think that MaliBot most likely was developed and is being used by bad actors out of Russia.

Given all its various tricks and techniques, IT security advisors are left with little recourse (at least publicly) other than to stick to their basic cyber block-and-tackling when it comes to banking malware. Hence, researchers from F5 Labs and other security companies recommend that mobile banking and payments customers never download random applications from unknown emails, texts or websites and utilize anti-malware on their Android phones. And, given that malware sometimes sneaks into the Google Play store or other well-known application forums, they should still look into the developers and read reviews for the programs that they want to install.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.