A newly discovered Android remote access trojan (RAT), called DroidBot, is targeting banks, cryptocurrency exchanges, and government organizations. This sophisticated malware affects 77 institutions and employs advanced techniques to steal sensitive information.
DroidBot combines hidden Virtual Network Computing (VNC) and overlay attack strategies with spyware-like capabilities. For example, it can monitor user activity and log keystrokes. The malware uses dual communication channels: HTTPS for receiving commands and MQTT for sending stolen data. This separation improves its flexibility and makes detection harder.
Cybersecurity researchers first identified DroidBot in October 2024. However, evidence suggests it has been active since June. It operates under a malware-as-a-service (MaaS) model, offered for $3,000 per month. Infected devices send data to a command-and-control (C2) server, which organizes communication using specific MQTT topics.
While the malware is not groundbreaking technically, it stands out due to its operational model. It follows a MaaS scheme, rarely seen in threats of this nature. This allows cybercriminals to access sophisticated tools without needing advanced technical skills.
Researchers have traced the malware’s creators to Turkish-speaking individuals. However, their exact identities remain unknown. DroidBot is part of a larger trend of affordable, subscription-based malware targeting financial systems and cryptocurrency platforms.
To safeguard against threats like DroidBot, avoid downloading apps from unofficial sources or unknown links. Always update your device with the latest security patches and use trusted antivirus software. Be cautious of apps requesting excessive permissions and consider enabling two-factor authentication (2FA) on financial accounts. Staying informed about the latest malware tactics is also essential to reducing your vulnerability.