Mailboat, a new banking Trojan horse, masquerades as a crypto mining program to infect Android devices. There’s a possibility that it could begin targeting Americans, despite its current focus on Spain and Italy.
F5 Labs uncovered the new Malibot threat for Android phones while following the mobile banking malware FluBot. Mailboat is a dangerous menace to consider because of its various features and capabilities.
Malicious assaults on privileged users are difficult to prevent.
Mailboat is disseminated in what ways?
Currently, Malibot is being distributed by hackers in two main ways.
The scammers have built two websites, “Mining X” and “TheCryptoApp,” to disseminate their malware (Figure A and Figure B).
As indicated in Diagram A
As the name implies, the TheCryptoApp campaign pretends to be a reputable bitcoin monitoring program. As long as they’re using an Android phone to browse, they’ll be infected and given the link. As a result of browsing from any other device, the user will be presented with a legitimate link to the Google Play Store version of TheCryptoApp. Users of Android devices do not need to go through the Google Play Store to get the app.
If you click on the download link on the Mining X website, a window will open with a QR code that you may use to download the application.
Using Malibot’s capacity to send SMS messages on-demand, Malibot may send texts to a list of phone numbers provided by the Malibot command and control server.
Mailboat steals what kind of information?
Malibot’s goal is to steal sensitive information, including passwords, credit card numbers, and bank account numbers. Cookies, multi-factor authentication credentials, and crypto-wallets can all be stolen to achieve this purpose.
Accounts on Google
Malibot can get your Google account information. Google applications are opened by the virus, which opens a WebView to the Google sign-in page, forcing the user to sign in and preventing the user from clicking any return buttons.
Mailboat also can defeat Google’s two-factor authentication (2FA). When a user tries to sign in using their Google account, the virus immediately confirms the Google prompt screen. By sending the 2FA code to an attacker instead of a legal recipient, the virus can verify that the authentication worked.
Specific internet services require many injections.
The malware also provides the attacker with a list of the infected device’s applications, which enables the attacker to know which applications can be used to show an inject instead. An inject is a page that appears to the user as if it were a valid one, but it is in fact a fake (Figure C).
F5 Labs claims that the Malibot infects financial institutions in Spain and Italy with a ransomware variant.
Mailboat can also take Google Authenticator’s multi-factor authentication codes on demand, in addition to stealing Google accounts. The malware intercepts and exfiltrates MFA codes supplied over SMS to a mobile phone.
Wallets for cryptocurrency
Mailboat is capable of stealing data from Binance and Trust cryptocurrency wallets.
For both Binance and Trust, the malware attempts to export the complete balance from the victims’ wallets.
Malibot can also collect the victim’s seed phrases, allowing the attacker to subsequently move all of the money to a different wallet of their choice, like with the Trust wallet.
SMS messages can be sent on demand using Malibot. Smishing is the most common method of distribution, however, it can also send Premium SMS, which charges the victim’s cell credits if that option is selected.
What is Malibot’s method of gaining control of the device?
With the Android accessibility API, Malibot is able to conduct actions on behalf of the user. In this way, malicious software is able to steal data and remain undetected for long periods of time. By clicking the back button when it sees certain text or labels on the screen, it prevents the uninstall or withdrawal of permissions from taking place.
Malibot: a very present and potent danger
The goal of Malibot’s creators is for it to remain unnoticed and persistent on infected devices for as long as possible. It is set as a launcher to escape being killed or paused by the operating system in case of idleness. The service is started or woken up each time its activity is examined.
The malware contains a few extra safeguards, but none of them are used. There is a function that can tell if malware is running in an environment that is not real, according to researchers at F5. Another function that isn’t being used makes the malware a secretive program.
As new Malibot targets emerge, the United States could already be under attack.
F5 Labs’ investigation indicated Spain and Italy as potential targets, but they also discovered persistent behavior that may point to cybercriminals targeting Americans.
Using the same threat actor’s domain, a “Trust NFT” website (Figure D) offers to download the malware (Figure D).
Figure D is an example of this
The COVID-19 motif can be found in the domain name of another website. Researchers believe that the attackers will use these new domains to spread malware to other countries, including the United States.
Defending yourself from Malibots
Only malicious websites and SMS messages are used to spread the infection. No reputable Android platform, such as the Google Play Store, is presently distributing this malware.
On an Android device, never install any app that can be downloaded with a single click. This means that users should avoid downloading programs from untrusted or unlicensed sources. A link sent to a user’s mobile phone should never be used to install the software.
Protect your Android device from known risks by installing a full suite of security software.
Permissions should be double-checked before software installation. When Malibot is started for the first time, it asks for SMS sending rights, which should trigger red flags.
Although I work for Trend Micro, the opinions expressed below are entirely mine.