LATEST NEWS:

New virus steals bank data, disguises itself as Google Chrome

New virus steals bank data, disguises itself as Google Chrome

Researchers at Cleafy have discovered a new Android banking trojan called “DroidBot” that steals login information for more than 77 cryptocurrency exchanges and banking apps.

DroidBot has been active since June 2024 as a malware-as-a-service (MaaS) platform. Criminals who want to use DroidBot pay a monthly subscription fee of $3000.

So far, 17 groups have been identified that used malware for attacks with the help of malware creators. Malware infections have been detected across the UK, Italy, France, Turkey and Germany, but Cleafy warns that there are indications of attempts to spread the malware to new regions.


The developers of DroidBot are most likely Turkish, who provide collaborators with all the necessary tools to carry out attacks. This includes the malware itself, command and control (C2) servers, and a central administrative panel from which they can control their operations, retrieve stolen data, and issue commands.

Multiple branches work on the same C2 infrastructure. Each group was assigned a unique identifier, which allowed Cleafy to identify 17 groups using the malware.

The developers allow affiliates to customize DroidBot to attack specific apps and different languages, provide them with technical support and access to a Telegram channel where updates are posted regularly. Overall, DroidBot MaaS is designed in such a way that even inexperienced cybercriminals can use it.

DroidBot often disguises itself as Google Chrome, Google Play Store or Android Security. In all cases, DroidBot acts as a Trojan that tries to steal sensitive information from applications.

Malware can record the victim's keystrokes, display fake login pages through banking application interfaces, intercept SMS messages, especially those containing one-time passwords (OTPs) for banking applications, allow attackers to remotely view and control infected device, execute commands and dim the screen to hide the malicious activity.

DroidBot uses Android access services to track what the victim is doing on the device and simulates swiping and tapping movements.

Among the 77 apps that DroidBot is trying to steal passwords for are Binance, KuCoin, BBVA, Unicredit, Santander, Metamask, BNP Paribas, Credit Agricole, Kraken and Garanti BBVA.

Android users are advised to download apps only from Google Play, review permission requests after installation and check if Play Protect is active on their devices. /Telegraph/