Full Report
As many as 77 banking institutions, cryptocurrency exchanges, and national organizations have become the target of a newly discovered Android remote access trojan (RAT) called DroidBot. "DroidBot is a modern RAT that combines hidden VNC and overlay attack techniques with spyware-like capabilities, such as keylogging and user interface monitoring," Cleafy researchers Simone Mattia, Alessandro
Analysis Summary
# Tool/Technique: DroidBot
## Overview
DroidBot is a newly discovered Android Remote Access Trojan (RAT) operating under a Malware-as-a-Service (MaaS) model. It is designed to target banks, cryptocurrency exchanges, and national organizations, providing advanced capabilities for fraud and espionage, including VNC, overlay attacks, and keylogging.
## Technical Details
- Type: Malware family (Remote Access Trojan)
- Platform: Android
- Capabilities: Remote access, hidden VNC, overlay attacks, keylogging, user interface monitoring, dual-channel C2 communication.
- First Seen: Active since at least June 2024, discovered in late October 2024.
## MITRE ATT&CK Mapping
*Note: Since the article describes advanced malware capabilities without explicitly citing MITRE IDs, mappings are inferred based on documented functionality.*
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (for HTTPS C2)
- TA0003 - Persistence
- T1547 - Boot or Logon Autostart Execution (Inferred, common for RATs leveraging accessibility)
- TA0005 - Defense Evasion
- T1444 - Impair Defenses (Implied through advanced overlay/VNC techniques)
- TA0006 - Credential Access
- T1056 - Input Capture
- T1056.001 - Keylogging
## Functionality
### Core Capabilities
- **Remote Access and Control:** Functions as a RAT, allowing operators to remotely control infected Android devices.
- **Data Harvesting:** Employs keylogging and user interface (UI) monitoring to capture sensitive information.
- **Overlay Attacks:** Leverages UI monitoring capabilities to perform overlay attacks, often used to trick users into entering credentials into fake login screens.
- **Hidden VNC:** Includes hidden Virtual Network Computing functionality for remote screen viewing and interaction.
### Advanced Features
- **Dual-Channel C2:** Utilizes distinct protocols for outbound and inbound communication:
- Outbound Data Transmission via **MQTT** (Message Queuing Telemetry Transport).
- Inbound Command Reception via **HTTPS**.
- **MaaS Model:** Sold as a service for a monthly fee of $3,000, accessible via a web panel.
- **Customization:** Affiliates can use the web panel to modify configurations and generate custom APK files embedding the malware.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: Apps disguised as generic security applications, Google Chrome, or popular banking apps.
- Registry Keys: [Not applicable/provided for Android]
- Network Indicators: C2 communication utilizes **MQTT** for outbound traffic and **HTTPS** for inbound commands.
- Behavioral Indicators: Abusing Android's **accessibility services** to operate covertly and monitor user activity.
## Associated Threat Actors
- Unnamed affiliate groups (at least 17 identified) purchasing access via the MaaS model.
## Detection Methods
- Signature-based detection: [Not explicitly detailed, signature generation likely based on known APK structures or C2 endpoints]
- Behavioral detection: Detection based on the invocation of Android accessibility services by unknown or suspicious applications, monitoring for abnormal MQTT or HTTPS traffic patterns associated with C2.
- YARA rules: [Not provided in the text]
## Mitigation Strategies
- **App Vetting:** Exercise extreme caution when installing applications, especially those masquerading as legitimate or security-related apps, and only download from official stores.
- **Accessibility Service Monitoring:** Regularly review and restrict which applications have access to Android's accessibility services.
- **Network Monitoring:** Monitor outbound traffic for unusual connections utilizing the MQTT protocol.
- **User Education:** Educate users about overlay attacks and the risks associated with typing credentials into unexpected or untrusted interfaces.
## Related Tools/Techniques
- Other Android Banking Malware leveraging accessibility features (e.g., ToxicPanda, mentioned in related context).
- Trojans utilizing VNC/Overlay techniques for credential theft.