A new Android Trojan, called DroidBot, is targeting banks, cryptocurrency exchanges, and national organizations.
Discovered in late October 2024, DroidBot has been active since at least June and is spreading through a malware-as-a-service (MaaS) model. Cybercriminals pay $3,000 a month to use it.
DroidBot uses sophisticated attack methods, including VNC and overlay techniques, as well as spying features like keylogging and monitoring user actions.
It also uses two communication methods: HTTPS for receiving commands and MQTT for sending out data, making it harder to detect and stop.
The Trojan is disguised as common apps, including security tools, Google Chrome, or banking apps. It has already targeted institutions in countries such as Austria, Belgium, France, Italy, Spain, and the UK.
While the technical aspects of DroidBot are similar to other known malware, its MaaS model makes it stand out. Researchers have found that the creators of DroidBot likely speak Turkish, though their exact identity remains unknown.
As of now, 17 groups have been identified using DroidBot to remotely control infected devices, steal data, and modify infected APK files.
Stay cautious and protect your devices, especially if you use banking or cryptocurrency apps.