FacebookTwitterLinkedIn

New Turkish MaaS Called DroidBot Discovered

Karolis Liucveikis Written by on

According to a report by cybersecurity firm Cleafy, a new Malware-as-a-Service has begun operating, with much evidence pointing to the malware's developers operating within Turkey. Cleafy has called the malware itself DroidBot, based on the domain used to host the malware's infrastructure.

New Turkish MaaS Called DroidBot Discovered

In providing a brief summary of DroidBot, the malware is best defined as a modern Remote Access Trojan (RAT) targeting Android devices that combines hidden virtual network computing (hVNC) overlay attack techniques with spyware-like capabilities. Malware capabilities include keylogging and user interface monitoring.

Further, it leverages dual-channel communication, transmitting outbound data through MQTT and receiving inbound commands via HTTPS, providing enhanced operation flexibility and resilience.

Based on Cleafy's analysis, the malware may have begun to emerge as early as June 2024. Since then, security researchers have managed to track 77 distant targets of DroidBot attack campaigns.

Targets include banking institutions, cryptocurrency exchanges, and national organizations, underpinning the use of DroidBot as a MaaS for those willing to pay to have a comprehensive RAT at their disposal. Researchers discovered 17 distinct entities acting as affiliates to further prove this point.

DroidBot still appears to be under active development as some functions, like root checks, exist only as placeholders and are not properly implemented, while other features, including obfuscation, emulator checks, and multi-stage unpacking, vary between samples discovered by researchers.

Even though the malware appears to still be under active development, victims in the United Kingdom, Italy, France, Spain, and Portugal have been discovered, along with evidence suggesting that affiliates are looking to attack targets in Latin America.

Researchers noted that the malware is capable of the following functions:

  • SMS Interception: The malware monitors incoming SMS messages, often used by financial institutions to deliver transaction authentication numbers (TANs), allowing attackers to bypass two-factor authentication mechanisms.
  • Keylogging: By exploiting Accessibility Services, DroidBot captures sensitive information displayed on the screen or entered by the user, such as login credentials, personal data, or account balances.
  • Overlay Attack: This approach involves displaying a fake login page over the legitimate banking application once the victim opens it to intercept valid credentials.
  • VNC-Like Routines: DroidBot periodically takes screenshots of the victim's device, providing threat actors with continuous visual data that offers a real-time overview of the device's activity.
  • Screen Interaction: Leveraging the full potential of Accessibility Services, DroidBot enables remote control of the infected device. This includes executing commands to simulate user interactions such as tapping buttons, filling out forms, and navigating through applications, effectively allowing attackers to operate the device as if they were physically present.

What struck security researchers as novel regarding the malware, particularly its infrastructure, was its unconventional command-and-control server communication method. As mentioned above, the malware leverages the Message Queuing Telemetry Transport (MQTT) protocol, which is both lightweight and efficient, often used by IoT devices and real-time messaging services.

Further researchers noted,

The choice of MQTT is particularly noteworthy because its use among Android malware remains relatively rare. The TA strategic decision facilitates efficient communication and enhances the malware's ability to evade detection. By adopting a protocol not commonly associated with malicious activities, the operators behind DroidBot can stay under the radar of conventional security measures…DroidBot’s utilization of MQTT reflects a growing trend in the malware landscape. Recent examples of Android banking trojans adopting this protocol include Copybara and BRATA/AmexTroll. Originally active in Latin America, these families have recently expanded their operations to Europe, demonstrating such techniques' increasing versatility and geographical spread.

From Turkey With Love

Cleafy researchers first discovered the MaaS operation being advertised on Russian underground hacking forums. One post dating back to October 12, 2024, provided researchers with some insight into the operation, including that the malware is developed by an experienced malware author, or at least allegedly developed by one.

Notably, the malware appears to have no restrictions preventing it from targeting Russian-speaking countries and countries in Russia's sphere of influence. This indicates that the author is not Russian or based in the CIS group of countries.

The post also advertises its various services and gives the subscription service price, which is 3000 USD per month. Upon deeper analysis, thanks to screenshots shared by the malware's author, which included the whole Windows screen, it was found that the operating system language was set to Turkish when the screenshot was taken.

Further, thanks to the Windows weather widget, it could be seen that the weather matched conditions in some areas of Turkey on that specific day, such as the capital city of Ankara.

Security researchers also discovered that the Telegram channel the malware author provided has been linked to operating within Turkey.

Currently, the link will redirect the visitor to an alert issued by TR-CERT Usom, the Computer Emergency Response Team of the Republic of Türkiye, which informs the visitor that the primary domains used by the group, dr0id[.]best, has been flagged as malicious and identified as a potential threat to the financial sector.

Given all the information above, researchers concluded,

As mentioned earlier, while the technical difficulties are not so high, the real point of concern lies in this new model of distribution and affiliation, which would elevate the monitoring of the attack surface to a whole new level. This could be a critical point, as changing the scale of such an important data set could significantly increase the cognitive load. If not efficiently supported by a real-time monitoring system, this could severely overwhelm anti-fraud teams within financial institutions.


▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog