Security Affairs
Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

MaliBot Android Banking Trojan targets Spain and Italy

Malibot is a new Android malware targeting online banking and cryptocurrency wallet customers in Spain and Italy. F5 Labs researchers spotted a new strain of Android malware, named Malibot, that is targeting online banking and cryptocurrency wallet customers in Spain and Italy. The experts documented attacks against multiple banks, including UniCredit, Santander, CaixaBank, and CartaBCC. […]

malibot Android

Malibot is a new Android malware targeting online banking and cryptocurrency wallet customers in Spain and Italy.

F5 Labs researchers spotted a new strain of Android malware, named Malibot, that is targeting online banking and cryptocurrency wallet customers in Spain and Italy. The experts documented attacks against multiple banks, including UniCredit, Santander, CaixaBank, and CartaBCC.

malibot Android

The malware was discovered two weeks after an international law enforcement operation dismantled the FluBot malware.

The malware supports a broad range of features, including the ability to steal credentials, cookies, and bypass multi-factor authentication (MFA) codes. The malicious code also is also able to remotely control infected devices using a VNC server implementation

MaliBot disguises itself as a cryptocurrency mining app named “Mining X” or “The CryptoApp”, experts also observed the malicious code masqueraded as “MySocialSecurity” and “Chrome” apps.

The experts discovered that the C2 is in Russia and that the malware used the same servers that were associated with the Sality malware operation. The C2 is active at least since June of 2020, the malware is a heavily modified re-working of the SOVA Android banking trojan, but supports different functionality, and has different targets, C2 servers, domains and packing schemes.

The malware is distributed through malicious websites or via smashing attacks.

“Distribution of MaliBot is performed by attracting victims to fraudulent websites where they are tricked into downloading the malware, or by directly sending SMS phishing messages (smishing) to mobile phone numbers.” reads the advisory published by F5 Labs.

Like other banking Trojan, Malibot abuses the Accessibility Service to implements a VNC-like functionality using the Accessibility API, grabs information from screen, and populate bus object which saves device’s states.

“MaliBot listens for events using the Accessibility Service. If it detects that the victim has opened an app on the list of targets, it will set up a WebView that displays an HTML overlay to the victim.” continues the report.

Malibot abuses the access to the Accessibility API to bypass Google 2FA methods.

“MaliBot is most obviously a threat to customers of Spanish and Italian banks, but we can expect a broader range of targets to be added to the app as time goes on. In addition, the versatility of the malware and the control it gives attackers over the device mean that it could, in principle, be used for a wider range of attacks than stealing credentials and cryptocurrency.” concludes the report. “In fact, any application which makes use of WebView is liable to having the users’ credentials and cookies stolen.”

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Malibot)

[adrotate banner=”5″]

[adrotate banner=”13″]