MaliBot Android malware spreading fast, says Check Point

The recently discovered MaliBot Android malware is emerging as one of the most widespread threats to end-users, according to Check Point Research’s latest monthly Global Threat Index. It has emerged from nowhere over the past few weeks to become the third most prevalent mobile malware behind AlienBot and Anubis, and filling the gap left by the takedown of FluBot in May.

MaliBot began to come to widespread attention in June 2022, and was discovered by F5 Labs researchers in the course of their work on FluBot. At the time, it was targeting mainly online banking customers in Italy and Spain, but its capabilities make it a relevant threat to Android users the world over.

According to F5, it disguises itself as a cryptocurrency mining app, but in fact steals financial information, credentials, crypto wallets and personal data. It is also capable of stealing and bypassing multifactor authentication (MFA) codes. Its command and control (C2) infrastructure is located in Russia, and it appears to have links to the Sality and Sova malwares.

It is distributed by luring victims to fraudulent websites that encourage them to download the malware, or by smishing, presenting victims with a QR code that leads to the malware APK.

“While it’s always good to see law enforcement successful in bringing down cyber crime groups or malwares like FluBot, sadly it didn’t take long for a new mobile malware to take its place,” said Maya Horowitz, vice-president of research at Check Point Software.

“Cyber criminals are well aware of the central role that mobile devices play in many people’s lives and are always adapting and improving their tactics to match. The threat landscape is evolving rapidly, and mobile malware is a significant danger for both personal and enterprise security. It’s never been more important to have a robust mobile threat prevention solution in place.”

Meanwhile, Emotet unsurprisingly retained the top spot as the most prevalent overall malware found in the wild, although Snake Keylogger – an infostealer – continues its meteoric rise, moving up to third having entered Check Point’s monthly chart in the number eight spot back in June.

Having initially been spread via tainted PDF files, more recent Snake campaigns have seen it arrive in Word documents disguised as requests for quotations.

Emotet also seems to be changing up its tactics, with a new variant reported last month that targets users of Google Chrome, and now includes credit card data theft.

The full top 10 countdown for June is as follows:

1. Emotet – a trojan-turned-botnet used as a distributor for other malwares and ransomware campaigns.
2. Formbook – a malware-as-a-service (MaaS) infostealer targeting Windows devices.
3. Snake Keylogger – a particularly evasive and persistent infostealer that can steal virtually all kinds of sensitive information.
4. Agent Tesla – an advanced remote access trojan (RAT) functioning as a keylogger and infostealer.
5. XMRig – an open-source CPU mining software used to mine Monero.
6. Remcos – another RAT that specialises in bypassing Windows security to execute malware with elevated privileges.
7. Phorphix – another botnet known for fuelling other malware families, as well as spam and sextortion campaigns.
8. Ramnit – a modular banking trojan specialising in credential theft for bank and social media accounts.
9. Glupteba – a backdoor-turned-botnet that includes an integral browser stealer capability and a router exploiter.
10. NJRat – another RAT used by cyber criminals and nation state attackers alike, which is known to propagate through infected USB keys or networked drives.

Once again, the top most exploited vulnerability in June 2022 was CVE-2021-44228 or Log4Shell, in Apache Log4j, which impacts 43% of worldwide organisations and exploitation of which shows no sign of slowing. In second place is an information disclosure vulnerability reported in Git Repository, and in third place, a series of URL directory traversal vulnerabilities on various web servers. More data on all of these is available from Check Point and can be accessed here.