DroidBot: Insights from a new Turkish MaaS fraud operation
Dec. 9, 2024, 10:32 p.m.
Tags
External References
Description
DroidBot is an advanced Android Remote Access Trojan combining hidden VNC and overlay capabilities with spyware features. It uses dual-channel communication, transmitting data via MQTT and receiving commands through HTTPS. The malware targets 77 entities, including banks and cryptocurrency exchanges, in countries like the UK, Italy, France, Spain, and Portugal. Evidence suggests Turkish-speaking developers and a Malware-as-a-Service operation with 17 distinct affiliate groups. DroidBot is under active development, showing inconsistencies across samples. Its sophisticated features, diverse target list, and MaaS infrastructure make it a significant threat to financial institutions and government entities across multiple regions.
Date
Published: Dec. 9, 2024, 10:22 p.m.
Created: Dec. 9, 2024, 10:22 p.m.
Modified: Dec. 9, 2024, 10:32 p.m.
Indicators
e0e8dce9af3a7d54e7a24db95eb3b61582da436d5e795ebebf06b9926073ce59
cc9a45540262aaa9b733384e218512eb596092ef698ba12beb9d239f98e8bbf6
ie721f2d.ala.dedicated.aws.emqxcloud.com
k358a192.ala.dedicated.aws.emqxcloud.com
dr0id.best
Attack Patterns
DroidBot
T1059.004
T1071.001
T1204.002
Additional Informations
Finance
Government
Portugal
Spain
Italy
France
Germany
United Kingdom of Great Britain and Northern Ireland