A sophisticated Android remote access trojan (RAT) dubbed DroidBot has emerged, targeting 77 financial institutions, including banks, cryptocurrency exchanges, and national organizations. First detected in October 2024, the malware has been active since June, operating under a malware-as-a-service (MaaS) model with a monthly subscription fee of $3,000.
Key Features:
– Combined hidden VNC and overlay attack techniques
– Advanced spyware capabilities including keylogging
– Dual-channel communication system using MQTT and HTTPS
– Remote device control through Android accessibility services
Geographic Impact:
The malware campaign has primarily affected European countries, including Austria, Belgium, France, Italy, Portugal, Spain, Turkey, and the United Kingdom. Attackers distribute DroidBot through fake applications masquerading as security tools, Google Chrome, or legitimate banking apps.
Technical Infrastructure:
DroidBot employs a unique dual-protocol approach for command-and-control operations:
– HTTPS for receiving inbound commands
– MQTT for transmitting outbound data from infected devices
The operation has attracted 17 affiliate groups who gain access to a web panel for creating custom malware-embedded APK files and managing infected devices. While the malware’s technical aspects mirror existing threats, its MaaS business model sets it apart in the current threat landscape. Analysis suggests the operators are Turkish-speaking threat actors.