DroidBot is an advanced Android Remote Access Trojan combining hidden VNC and overlay capabilities with spyware features. It uses dual-channel communication, transmitting data via MQTT and receiving commands through HTTPS. The malware targets 77 entities, including banks and cryptocurrency exchanges, in countries like the UK, Italy, France, Spain, and Portugal. Evidence suggests Turkish-speaking developers and a Malware-as-a-Service operation with 17 distinct affiliate groups. DroidBot is under active development, showing inconsistencies across samples. Its sophisticated features, diverse target list, and MaaS infrastructure make it a significant threat to financial institutions and government entities across multiple regions. Author: AlienVault
Related Tags:
banking trojan
T1059.004
France
T1204.002
Italy
Portugal
Germany
T1071.001
Spain
Associated Indicators:
E0E8DCE9AF3A7D54E7A24DB95EB3B61582DA436D5E795EBEBF06B9926073CE59
0A7B2F05AED4F0CFA37DE05F140F849E30EC3AF7
6320F648DEE993FB84E70D67614A50C52A79A0CA
2CE47ED9653A9D1E8AD7174831B3B01B
E6F248C93534D91E51FB079963C4B786
2F66F5BB7D3E8267B01CF1EDFBF7384E
FE8D76BA13491C952F7DD1399A7EBF3C
0137A72F0CB49A73E13B30C91845D42D
dr0id.best