A dangerous piece of Android malware is in the wild, hoovering up logins and MFA codes, sending financial data and screen captures back to the attackers – and more.
Here’s what Malibot does, how it spreads, and how you should protect your Android device against it.
What is Malibot Android malware?
A new strain of Android mobile malware was discovered by F5 Labs in June this year. The Malibot banking Trojan’s focus is on stealing financial information, credentials, crypto wallets, and personal data (PII). Read more about Malibot from the team at F5
Malibot abuses permissions and Accessibility Settings to intercept and send SMS messages, take screen captures, run and delete apps, steal cryptocurrency wallets, run and delete apps on demand and more.
If a user has an app on their device that matches one from a target list, as they open that app Malibot conducts an overlay attack. Malibot inserts an overlaid screen designed to look like the real one to harvest credentials or informatiom that the unsuspecting user enters into the app.
How does it spread?
There are 2 primary ways that Malibot spreads.
- Malibot lures victims to websites that present a download, sometimes pretending to be a download for a legitimate app you might find on the Google Play Store. The app users install contains the Malibot malware, and so far we’ve seen it disguised as popular cryptocurrency apps, the Chrome app and a Social Security app. However, Malibot’s Mining X campaign presents as a QR code on a website, and is not related to any Google Play Store app.
- The other way it spreads is via SMS phishing (smishing) as Malibot can send text messages on demand to the contacts on your device. It’s a fast and popular way for banking Trojans to spread, as we’ve seen from FluBot and SharkBot.
Why should we be worried?
Malibot can successfully inject overlays that look identical to the apps device users think they’re opening and logging into, so it hoovers up credentials and financial information before users know it’s there. Even security-savvy users that have set up multifactor authentication aren’t immune – Malibot intercepts MFA codes sent by SMS and even via the Google Authenticator app.
Its abuse of the Accessbility API, which allows an app to perform actions on behalf of the user, like read text on the screen, tap buttons, and listen for events, helps Malibot to prevent uninstallation or removal of its permissions.
Although Malibot’s main targets are currently online banking customers in Spain and Italy, its abilities in stealing data, spreading quickly, and evading detection make it a dangerous piece of Android malware that users must be on the look out for as threat campaigns expand and evolve.
Fortunately, not only does Trustd detect Malibot on an Android device, it can help you to successfully remove it. Download the free Trustd app for Android from Google Play to detect and remove Malibot.
What should you do to protect against Malibot?
Individuals/consumers should:
- Only download apps from vetted marketplaces, such as Google Play.
- Install the free Trustd Mobile Security app to scan links in SMS that may try to trick you into opening a spoof website. The app scanner will detect malicious and hidden apps on your device and help you remove them, and you will get alerts when an app like Malibot abuses permissions, take screenshots etc.
- Consider upgrading to Trustd Plus to enable Safe Browsing. This second form of protection will alert to you to fake websites that are used to trick you into downloading malware.
Organisations should:
- Conduct user awareness training to educate employees on the dangers of downloading apps from unvetted marketplaces.
- Use Trustd MTD for 3-pronged protection against malware like Malibot –
- Safe Browsing alerts the user if they browse to a fraudulent website that may host malware;
- AI-powered phishing protection to scan links in SMS messages that may try to send the user to a fraudulent website that may host malware; and
- Malware app detection, scanning the device for malicious apps and helping the user to remove them – plus alerts for permissions abuse such as camera or mic access. Discover Trustd MTD and book a demo or free trial.