New DroidBot Android Spyware Targeting Banking and Crypto Users

Category	Details
Threat Actors	Believed to be a Turkish-speaking group; MaaS operation involves 17 affiliate groups.
Campaign Overview	DroidBot is a sophisticated Android RAT operating on a Malware-as-a-Service (MaaS) model targeting financial institutions, banking users, and cryptocurrency exchange users.
Target Regions	Europe (UK, Italy, France, Spain, Turkey, Portugal) with potential expansion to Latin America; customized for English, Italian, Spanish, and Turkish speakers.
Methodology	Disguises as security/banking apps; exploits Android Accessibility Services; dual-channel communication via MQTT (outbound) and HTTPS (inbound).
Product Targeted	Banking apps, cryptocurrency exchanges, and generic security applications.
Malware Reference	DroidBot (Android spyware), MQTT protocol, Copybara, BRATA/AmexTroll trojans.
Tools Used	DroidBot toolkit, hidden VNC, keylogger, overlay techniques, monitoring routines.
Vulnerabilities Exploited	Android Accessibility Services exploitation.
TTPs	Message interception, keystroke logging, screenshot capture, remote device control, dual-channel communication, credential theft, MaaS model for scalability.
Attribution	Turkish-speaking group; shared techniques with previous trojans like Copybara and BRATA.
Recommendations	- Avoid apps from unknown sources. - Regularly update devices with security patches. - Use reliable antivirus software.
Source	Hackread

Read full article: https://hackread.com/droidbot-android-spyware-hit-banking-crypto-users/

Disclaimer: The above summary has been generated by an AI language model