F5 Labs uncovers new Android malware strain MaliBot

MaliBot features

  • Web injection/overlay attacks
  • Theft of cryptocurrency wallets (Binance, Trust)
  • Theft of MFA/2FA codes
  • Theft of cookies
  • Theft of SMS messages
  • The ability to by-pass Google two-step authentication
  • VNC access to the device and screen capturing
  • The ability to run and delete applications on demand
  • The ability to send SMS messages on demand
  • Information gathering from the device, including its IP, AndroidID, model, language, installed application list, screen and locked states, and reporting on the malware’s own capabilities
  • Extensive logging of any successful or failed operations, phone activities (calls, SMS) and any errors 

MaliBot code capable of stealing Google MFA codes

MaliBot is most obviously a threat to customers of Spanish and Italian banks, but we can expect a broader range of targets to be added to the app as time goes on. In addition, the versatility of the malware and the control it gives attackers over the device mean that it could, in principle, be used for a wider range of attacks than stealing credentials and cryptocurrency. In fact, any application which makes use of WebView is liable to having the users’ credentials and cookies stolen.

Full article on MaliBot Android malware

Read the full F5 Labs article on the MaliBot Android malware to get the list of indicators of compromise (IoCs).
Watch a video review of MaliBot Android malware.

Watch AubreyKingF5 and m_heath walk through the details in a 7 minute interview on DevCentral's YouTube Channel.

Updated Jun 24, 2022
Version 2.0

Was this article helpful?

No CommentsBe the first to comment