A new Android remote access trojan (RAT) called DroidBot has targeted 77 banking institutions, cryptocurrency exchanges, and government organizations. Discovered by Cleafy researchers, DroidBot utilizes VNC and overlay attack techniques combined with features like keylogging and user monitoring. Since its emergence in October 2024, it has shown signs of being active since June, operating on a malware-as-a-service model that charges monthly fees. The malware, which is disguised as common apps, primarily affects devices in Europe and the UK. Notably, DroidBot uses dual communication protocols—HTTPS for receiving commands and MQTT for sending data—making its operations more flexible and resilient. While the technical aspects may not be groundbreaking, its service model represents a concerning trend in cyber threats.
As of December 5, 2024, a new Android malware threat named DroidBot is causing alarm among banking institutions and cryptocurrency exchanges. This remote access trojan (RAT) has targeted 77 organizations, raising concerns about mobile security on Android devices.
DroidBot has been described as a sophisticated RAT, utilizing stealthy techniques such as hidden VNC and overlay attacks, alongside traditional spyware capabilities including keylogging and user interface surveillance. Researchers from the Italian fraud prevention company Cleafy reported discovering the malware in late October 2024, although it is believed to have been operating since at least June. It reportedly functions as a malware-as-a-service (MaaS) offering with a subscription fee of around $3,000 per month.
The malware uses a dual-channel communication system, sending data out through a messaging protocol known as MQTT while receiving commands via HTTPS. This setup not only enhances its operation but also provides greater resilience against detection.
DroidBot campaigns have been identified across several European countries, disguised as legitimate applications like security tools or banking apps, making it easier for the trojan to infiltrate devices. With at least 17 different affiliate groups now utilizing this malware, experts caution that the risk to mobile users is substantial, particularly for those handling sensitive information.
Therefore, experts emphasize the importance of mobile security awareness. Users are advised to be vigilant about downloading applications—only use those from reputable sources and double-check permissions requested by the apps to protect themselves from potential threats like DroidBot.
For ongoing updates on cybersecurity threats, stay connected with our social media channels.
What is the $3,000 Android Trojan?
The $3,000 Android Trojan is a harmful software that targets bank accounts and cryptocurrency exchanges. It tricks users into giving away their personal information or money.
How does the Trojan work?
The Trojan usually disguises itself as a regular app. Once installed, it can steal login details and other sensitive information from users’ smartphones.
How can I tell if my phone is infected?
Signs of infection include unexpected app behavior, strange messages, or apps you didn’t install. If you notice anything odd, it’s best to check your phone for malware.
What can I do to protect myself?
To protect yourself, only download apps from trusted sources, keep your phone updated, and use strong passwords. You can also install a security app for extra safety.
What should I do if my phone is infected?
If you believe your phone is infected, uninstall suspicious apps immediately, run a security scan, and consider resetting your phone to remove any malware completely.
