MaliBot’s C2 IP has been used in other malware smishing campaigns since June 2020, which raises questions about how the authors of this malware are related to other campaigns (see Campaign Screenshots).

How MaliBot Works

Android ‘packers’ are becoming increasingly popular with malware developers since they allow native code to be encrypted within the mobile app making reverse engineering and analysis much more difficult. Using the Tencent packer, MaliBot unpacks itself by decrypting an encrypted Dex file from the assets and loading it in runtime using MultiDex. We have a detailed analysis on the Tencent packer in the “Dex decryption” section in our Flubot article. Please note that not all MaliBot samples are packed.

Once loaded, MaliBot contacts the C2 server to register the infected device, then asks the victim to grant accessibility and launcher permissions. MaliBot then registers four services that perform most of the malicious operations:

• Background Service
  • Polls for commands from C2
  • Handles C2 commands
  • Sends device and malware information (such as permissions enabled, phone locked, “VNC” enabled, etc.)
  • Send Keep-Alive pings to C2
• Notify Service
  • Checks Accessibility permissions, if not granted it sends a notification to enable these permissions and navigates to Settings.
• Accessibility Service
  • Implementing a VNC-like functionality using the Accessibility API (see below)
  • Grabbing information from screen
  • Populate Bus object which saves device’s states
• Screen Capture service
  • Responsible for capturing the screen, also used as part of the “VNC” implementation

Four Receivers are registered as well:

• SMS Receiver – interception of SMS messages
• Boot Receiver
• Call Receiver
• Alarm receiver – background service watchdog to intercept calls, register boot activity, and intercept alarms.

Accessibility API Abuse

MaliBot performs most of its malicious operations by abusing Android’s Accessibility API. The Accessibility API is a powerful tool developed to encourage Android developers to build apps accessible for users with additional needs. The Accessibility API allows mobile apps to perform actions on behalf of the user, including the ability to read text from the screen, press buttons and listen for other accessibility events.

However, these powerful functions can also allow attackers to steal sensitive information and manipulate the device to their advantage. Flubot, Sharkbot and Teabot are just a few examples of banking trojans other than MaliBot that abuse the accessibility API. This service also allows mobile malware to maintain persistence. The malware can protect itself against uninstallation and permissions removal by looking for specific text or labels on the screen and pressing the back button to prevent them.

Google’s 2-Step Verification Bypass

Stealing credentials is often not enough to allow an attacker to successfully log in to a victim’s account. Since Google accounts are often enabled with multifactor authentication (also known as two-factor authentication, or in Google’s case, 2-step verification), a prompt will be shown on the victim’s devices if an unknown device tries to log in. The prompt will ask the victim to grant or deny the login attempt, then match a number shown on the other device. Once they have used MaliBot to capture credentials, the attackers can authenticate to Google accounts on the C2 server using those credentials, and use MaliBot to extract the MFA codes through the following steps:

• First, it validates the current screen is a Google prompt screen (Figure 4 & Figure 5).