Researchers identified a novel Android Remote Access Trojan (RAT) named DroidBot in late October 2024, with initial activity traced back to June 2024, which, unrelated to known malware families, exploits a domain name to establish remote control over infected devices.
DroidBot, a sophisticated RAT, employs VNC and overlay attacks alongside keylogging and UI monitoring by utilizing MQTT for outbound data transmission and HTTPS for inbound command reception, offering versatile and robust communication channels.
It actively targets 77 entities spanning finance and national organizations. With ongoing campaigns across Europe, its potential expansion to Latin America poses a significant threat to mobile users in these regions.
The malware’s inconsistent codebase, including placeholder functions and varying levels of obfuscation, suggests ongoing development, which indicates active efforts to improve its capabilities and adapt to diverse environments.
Malware samples have been found to contain artifacts in the Turkish language, which suggests that developers are modifying their strategies in order to broaden their geographical reach.
MaaS networks, like DroidBot, offer cybercriminals a subscription-based model to access sophisticated malware and C2 infrastructure, eliminating the need for independent development and maintenance, thereby lowering the barrier of entry for malicious activities.
DroidBot uses a custom decryption routine to obfuscate sensitive information like C2 server details and MQTT credentials, which relies on parameters derived from package information, making decryption more complex.
However, an application parser can still extract the necessary information from a sufficient sample size. While the app includes an ATS module for automated fraud, its functionality seems incomplete or dependent on server-side components.
The analysts intercepted DroidBot botnet traffic on an active MQTT broker, decrypting the live stream to gain real-time insights into botnet size and geographical distribution.
An analysis of the TAs’ infrastructure and malware artifacts identified a focus on European users, particularly in France, Italy, Spain, and Turkey, which is supported by the targeted financial institutions, user language preferences within the malware, and MQTT client activity.
The October 12, 2024, forum post introduces a new Android MaaS offering by a purportedly experienced developer, which includes a crypter, server access, hVNC for remote control, and ATS, targeting a global audience, likely excluding CIS countries.
Threat actors behind DroidBot, likely operating from Turkey, have been actively recruiting affiliates through a Telegram channel and sharing details about the malware’s capabilities and pricing, occasionally revealing sensitive information like system language and location through inadvertent screenshots.
According to Cleafy, the MaaS-like operational model of Droidbot, while technically similar to known malware, poses a significant threat by increasing the scale of attacks on financial institutions, which could overwhelm anti-fraud teams if not effectively monitored in real-time.
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Android Spyware Catwatchful Leaks Over 62,000 Customer Credentials")
%20named%20DroidBot%20in%20late%20October%202024,%20with%20initial%20activity%20traced%20back%20to%20June%202024.){kind=link}