As many as 77 banks, cryptocurrency exchanges, and national organizations have fallen victim to a newly uncovered Android Remote Access Trojan (RAT) called DroidBot, highlighting a significant cybersecurity threat in 2024.
What is DroidBot?
DroidBot is an advanced Android RAT that combines hidden VNC (Virtual Network Computing) and overlay attack techniques with spyware-like capabilities such as:
- Keylogging
- User interface monitoring
- Exploiting Android accessibility services
According to researchers Simone Mattia, Alessandro Strino, and Federico Valentini from Cleafy, DroidBot employs dual-channel communication to enhance its flexibility and resilience. It transmits stolen data via MQTT (a lightweight messaging protocol) and receives commands using HTTPS.
"This separation enhances its operational flexibility and resilience," the researchers noted.
Cybersecurity Threat Timeline
The Italian fraud prevention firm Cleafy first detected DroidBot in October 2024, but evidence suggests it has been active since June 2024, operating under a Malware-as-a-Service (MaaS) model.
For a monthly fee of $3,000, affiliates gain access to:
- A web control panel to modify malware configurations
- The ability to create custom APK files embedding DroidBot
- Tools to issue remote commands to infected devices
Who is Behind DroidBot?
While the exact threat actors remain unidentified, analysis of the malware samples indicates the developers are Turkish speakers.
"The malware itself may not be groundbreaking technically but stands out for its Malware-as-a-Service model, which is rare for Android threats," the researchers added.
How DroidBot Spreads
Campaigns using DroidBot have targeted multiple countries, including:
- Austria, Belgium, France, Italy, Portugal, Spain, Turkey, and the U.K.
DroidBot disguises itself as legitimate apps, including:
- Generic security apps
- Google Chrome
- Popular banking apps
Once installed, it exploits Android's accessibility services to:
- Harvest sensitive user data
- Gain remote control of devices
Unique Features of DroidBot
One aspect that sets DroidBot apart is its dual protocol command-and-control (C2) strategy:
- HTTPS: Used to send commands to infected devices.
- MQTT: Used to transmit stolen data from infected devices to the C2 infrastructure.
This separation enhances its stealth and resilience, making it harder to detect and shut down. The MQTT broker organizes communication into specific "topics" to streamline data exchange.
Final Thoughts
DroidBot is a prime example of the evolving nature of mobile malware. While not innovative from a technical perspective, its MaaS operational model makes it a lucrative option for cybercriminals.
Organizations, especially in the banking and cryptocurrency sectors, must remain vigilant, educate employees about phishing tactics, and invest in robust mobile threat detection tools to mitigate the risks posed by such threats.