F5 experts found in the wild the new banking trojan for Android, capable of stealing accounting data, cookies and codes of two -factor authentication (2FA). The multifunctional mercenary, called Malibot, also actively interacts with the operator, opening the VNC access to the infected device.

Analysis of a dangerous find showed that this is a strongly changed and modified code of the SOVA banker, with a different set of functions, targets, address C2 and packaging methods. Currently, the harm is mainly annoyed by residents of Spain and Italy; The list of banks of interest is included by Unicredit, Santander, Caixabank and CartabCC.

Malibot spreads through fraudulent sites, most often under the guise of a certain Mining X application or a popular CryptoApp wallet (the original on Google Play has collected more than 1 million downloads). Sometimes there are other camouflage names - MySocialSecurity, Chrome.

To lure Android owners on malicious sites, Zlovred operators use samining: Malibot knows how to conduct group SMS newsletters on the command, receiving text (with URL) and a list of addressees from the C2 server. The latter is located in Russia and was once used to spread the Sality file virus.

The functions of the new Android Trojan are numerous and diverse and include the following possibilities:

To fulfill their tasks, the Trojan after launch is connected to the C2 server and requests permission to access the special android capabilities (Accessibleity Service). For the same purpose, he records background processing services, screen recording, Accessibleity, notifications (to bother the victim if it does not give access to special capabilities), as well as receivers for interception of SMS, calls, anxiety and registration of boot activity.

The possibility of using Accessible API and a direct connection with the infected device allow the Malibot operator to go around the 2FA reports of Google and enter the victim’s account from your computer using stolen identifiers. At the same time, a resident malignor works with the windows of the prompts, pressing the necessary buttons and introducing a one-time code sent to the C2-machine.

#cybercrime