As many as 77 banking institutions, cryptocurrency exchanges, and national organizations have become the target of a newly discovered Android remote access trojan (RAT) called DroidBot.
“DroidBot is a modern RAT that combines hidden VNC and overlay attack techniques with spyware-like capabilities, such as keylogging and user interface monitoring,” Cleafy researchers Simone Mattia, Alessandro Strino, and Federico Valentini said.
“Moreover, it leverages dual-channel communication, transmitting outbound data through MQTT and receiving inbound commands via HTTPS, providing enhanced operation flexibility and resilience.”
The Italian fraud prevention company said it discovered the malware in late October 2024, although there is evidence to suggest that it has been active since at least June, operating under a malware-as-a-service (MaaS) model for a monthly fee of $3,000.
No less than 17 affiliate groups have been identified as paying for access to the offering. This also includes access to a web panel from where they can modify the configuration to create custom APK files embedding the malware, as well as interact with the infected devices by issuing various commands.
Campaigns leveraging DroidBot have been primarily observed in Austria, Belgium, France, Italy, Portugal, Spain, Turkey, and the United Kingdom. The malicious apps are disguised as generic security applications, Google Chrome, or popular banking apps.
While the malware leans heavily on abusing Android’s accessibility services to harvest sensitive data and remotely control the Android device, it stands apart for leveraging two different protocols for command-and-control (C2).
Specifically, DroidBot employs HTTPS for inbound commands, whereas outbound data from infected devices is transmitted using a messaging protocol called MQTT.
“This separation enhances its operational flexibility and resilience,” the researchers said. “The MQTT broker used by DroidBot is organised into specific topics that categorise the types of communication exchanged between the infected devices and the C2 infrastructure.”
The exact origins of the threat actors behind the operation are not known, although an analysis of the malware samples has revealed that they are Turkish speakers.
“The malware presented here may not shine from a technical standpoint, as it is quite similar to known malware families,” the researchers noted. “However, what really stands out is its operational model, which closely resembles a Malware-as-a-Service (MaaS) scheme – something not commonly seen in this type of threat.”