MailBot Android Trojan Bypasses Two-Factor Authentication

F5 Labs experts have discovered the MailBot Android Trojan targeting online banking and cryptocurrency wallet clients in Spain and Italy. The report highlights that the malware is capable of stealing 2FA codes as it bypasses the multi-factor authentication.

Analysts write that in general, the new banker has the same capabilities as its counterparts, that is, it is able to steal credentials and cookies, bypass multi-factor authentication and abuse the Android accessibility service.

Let me remind you that we also wrote that RedLine Stealer Malware Masks as Bots to Buy Binance NFT Mystery Boxes.

MaliBot is famous as it spreads itself by disguising as mining apps (such as Mining X and The CryptoApp) and scam sites designed to attract potential victims. The malware also uses the so-called “smishing” as a propagation vector, that is, it gains access to the contacts of the infected device and sends other people SMS messages containing links to the malware.

MaliBot’s command and control servers are located in Russia and appear to be the same servers that were previously used to spread the Sality malware. This is a heavily modified and redesigned SOVA malware with different functionality, targets, C&C servers, domains, and packaging schemes.write F5 Labs analysts.

Let me remind you that the SOVA banker, which experts write about, was discovered in August 2021. Its distinguishing feature was overlay attacks, that is, when the target banking application was launched, the malware displayed a fraudulent page on top of it using a WebView with a link provided by the hackers’ server.

The same approach is now being taken for some of the banks targeted by MaliBot, such as UniCredit, Santander, CaixaBank, and CartaBCC.

Also, F5 Labs experts note that in addition to stealing passwords and cookies (to hijack the victim’s Google account), MailBot can read two-factor authentication codes from the Google Authenticator application and extract confidential data from the Binance and Trust Wallet applications, including information about the balance and seed phrases victims.

In addition, Malibot is able to use its Accessibility API access to bypass Google’s two-factor authentication, as simply stealing credentials will not be enough in this case. The researchers found that the malware can bypass 2FA even if the login attempt is made from a previously unknown device and Google sends special notifications to the victim.

android trojan MailBot

Although for now the malware is aimed at stealing bank details and cryptocurrencies, experts warn that in the future, MaliBot’s capabilities, which allow almost complete control of an infected device, can “be used for a wider range of attacks.”

Leave a Comment

About William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several months after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master's degree in cybersecurity, I've started working as a virus analyst in a little anti-malware vendor.