Threat Intel Solutions

* [Threat Intelligence](/threat-intelligence)* [Vulnerabilities -& Threats](/vulnerabilities-threats)* [Cyberattacks -& Data Breaches](/cyberattacks-data-breaches)Trojan-as-a-Service Hits Euro Banks, Crypto Exchanges Trojan-as-a-Service Hits Euro Banks, Crypto Exchanges===========================================================================================================At least 17 affiliate groups have used the ‘DroidBot’ Android banking Trojan against 77 financial services companies across Europe, with more to come, researchers warn.  [Becky Bracken, Senior Editor, Dark Reading](/author/becky-bracken), Senior EditorDecember 5, 2024 2 Min Read  Source: baosheng feng via Alamy Stock Photo [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/threat-intelligence/trojan-service-hits-euro-banks-crypto-exchanges)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/threat-intelligence/trojan-service-hits-euro-banks-crypto-exchanges)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/threat-intelligence/trojan-service-hits-euro-banks-crypto-exchanges)[](https://www.reddit.com/submit?url=https://www.darkreading.com/threat-intelligence/trojan-service-hits-euro-banks-crypto-exchanges&title=Trojan-as-a-Service%20Hits%20Euro%20Banks%2C%20Crypto%20Exchanges)[](/cdn-cgi/l/email-protection#211e5254434b4442551c75534e4b404f0c40520c400c724453574842440169485552016454534e0163404f4a520d0162535851554e0164594249404f46445207404c511a434e45581c6804131155494e54464955041311554944041311474e4d4d4e56484f4604131147534e4c0413116540534a04131173444045484f460413114c48464955041311484f554453445255041311584e540f04116504116004116504116004131175534e4b404f0c40520c400c72445357484244041311694855520413116454534e04131163404f4a5204136204131162535851554e04131164594249404f46445204116504116049555551520412600413670413675656560f4540534a53444045484f460f424e4c0413675549534440550c484f55444d4d4846444f424404136755534e4b404f0c524453574842440c494855520c4454534e0c43404f4a520c42535851554e0c44594249404f464452) NEWS BRIEFA fierce Android remote access Trojan (RAT), dubbed ‘DroidBot,’ is using spyware features like keylogging and monitoring, as well as inbound and outbound data transmission, to steal data from banks, cryptocurrency exchanges, and other national organizations. But the real concern cybersecurity analysts have about the DroidBot banking Trojan is its apparent expansion into a full-on malware-as-a-service operation.Researchers behind the discovery warned the DroidBot RAT has been active since mid-2024 and is already in heavy rotation among at least 17 affiliate groups, and has been used in 77 cyberattacks on organizations in France, Italy, Portugal, and Spain, [according to a report](https://www.cleafy.com/cleafy-labs/droidbot-insights-from-a-new-turkish-maas-fraud-operation) from Cleafy. Further, evidence indicates the DroidBot [Android banking Trojan](https://www.darkreading.com/endpoint-security/android-banking-trojan-antidot-disguised-as-google-play-update) is being continuously updated and is possibly on the precipice of spilling over into Latin America.Analysis showed the developers are native Turkish speakers but have started to expand into Spanish-speaking countries, which researchers said was a sign of the operation’s intent to expand into Central and South America.’Inconsistencies observed across multiple samples indicate that this malware is still under active development,’ the report said. ‘These inconsistencies include placeholder functions, such as root checks, different levels of obfuscation, and multi-stage unpacking. Such variations suggest ongoing efforts to enhance the malware’s effectiveness and tailor it to specific environments.’Android Banking Trojan-as-a-Service Emerges——————————————-In order to drop DroidBot, adversaries hide the malware in malicious banking applications and other ubiquitous applications, the researchers said, which is hardly new.The RAT’s novelty, according to the researchers, is the use of surveillance tools including SMS message interception, keylogging, and periodically capturing screen shots of the victim device. The malware also leverages accessibility services to allow threat actors to remotely execute commands and operate the victim’s device.’Moreover, it leverages dual-channel communication, transmitting outbound data through MQTT and receiving inbound commands via HTTPS, providing enhanced operation flexibility and resilience,’ the report explained. ‘Recent examples of [Android banking Trojans](https://www.darkreading.com/application-security/android-botnet-toxicpanda-bashes-banks-europe-latin-america) adopting this protocol include Copybara and BRATA/AmexTroll.’Technical specs aside, Cleafy researchers raised the alarm that the rise of what appears to be a new banking RAT-as-a-service business model is a significant shift in the threat landscape.’-[W-]hile the technical difficulties are not so high, the real point of concern lies in this new model of distribution and affiliation, which would elevate the monitoring of the attack surface to a whole new level,’ the report said. ‘This could be a critical point, as changing the scale of such an important data set could significantly increase the cognitive load.’ Read more about:[News Briefs](/keyword/news-briefs) [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/threat-intelligence/trojan-service-hits-euro-banks-crypto-exchanges)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/threat-intelligence/trojan-service-hits-euro-banks-crypto-exchanges)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/threat-intelligence/trojan-service-hits-euro-banks-crypto-exchanges)[](https://www.reddit.com/submit?url=https://www.darkreading.com/threat-intelligence/trojan-service-hits-euro-banks-crypto-exchanges&title=Trojan-as-a-Service%20Hits%20Euro%20Banks%2C%20Crypto%20Exchanges)[](/cdn-cgi/l/email-protection#c0ffb3b5a2aaa5a3b4fd94b2afaaa1aeeda1b3eda1ed93a5b2b6a9a3a5e088a9b4b3e085b5b2afe082a1aeabb3ece083b2b9b0b4afe085b8a3a8a1aea7a5b3e6a1adb0fba2afa4b9fd89e5f2f0b4a8afb5a7a8b4e5f2f0b4a8a5e5f2f0a6afacacafb7a9aea7e5f2f0a6b2afade5f2f084a1b2abe5f2f092a5a1a4a9aea7e5f2f0ada9a7a8b4e5f2f0a9aeb4a5b2a5b3b4e5f2f0b9afb5eee5f084e5f081e5f084e5f081e5f2f094b2afaaa1aeeda1b3eda1ed93a5b2b6a9a3a5e5f2f088a9b4b3e5f2f085b5b2afe5f2f082a1aeabb3e5f283e5f2f083b2b9b0b4afe5f2f085b8a3a8a1aea7a5b3e5f084e5f081a8b4b4b0b3e5f381e5f286e5f286b7b7b7eea4a1b2abb2a5a1a4a9aea7eea3afade5f286b4a8b2a5a1b4eda9aeb4a5acaca9a7a5aea3a5e5f286b4b2afaaa1aeedb3a5b2b6a9a3a5eda8a9b4b3eda5b5b2afeda2a1aeabb3eda3b2b9b0b4afeda5b8a3a8a1aea7a5b3) About the Author—————- [Becky Bracken, Senior Editor, Dark Reading](/author/becky-bracken) Senior Editor, Dark Reading Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading. [See more from Becky Bracken, Senior Editor, Dark Reading](/author/becky-bracken) Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. [Subscribe](https://dr-resources.darkreading.com/free/w_defa3135/prgm.cgi)You May Also Like*** ** * ** ***More Insights Events* [Cybersecurity Outlook 2025](https://darkreading.tradepub.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7201&ch=SBX&cid=_session_16.500326&_mc=_session_16.500326)Dec 5, 2024[More Events](/events) ### Editor’s Choice[American and Chinese flags on computer keyboard keys ](/cyberattacks-data-breaches/cisa-issue-guidance-telecoms-salt-typhoon-threat)[Cyberattacks -& Data Breaches](/cyberattacks-data-breaches) [CISA Issues Guidance to Telecom Sector on Salt Typhoon Threat](/cyberattacks-data-breaches/cisa-issue-guidance-telecoms-salt-typhoon-threat)[CISA Issues Guidance to Telecom Sector on Salt Typhoon Threat](/cyberattacks-data-breaches/cisa-issue-guidance-telecoms-salt-typhoon-threat) by[Jai Vijayan, Contributing Writer](/author/jai-vijayan) Dec 4, 2024 4 Min Read [Digital illustration of a winged horse with two horns on its head ](/endpoint-security/pegasus-spyware-infections-ios-android-devices)[Endpoint Security](/endpoint-security) [Pegasus Spyware Infections Proliferate Across iOS, Android Devices](/endpoint-security/pegasus-spyware-infections-ios-android-devices)[Pegasus Spyware Infections Proliferate Across iOS, Android Devices](/endpoint-security/pegasus-spyware-infections-ios-android-devices) by[Elizabeth Montalbano, Contributing Writer](/author/elizabeth-montalbano) Dec 4, 2024 3 Min Read [PRESS RELEASE ](/endpoint-security/wyden-and-schmitt-call-for-investigation-of-the-pentagon-s-failure-to-secure-its-phone-systems-against-foreign-spies)[Endpoint Security](/endpoint-security) [Wyden and Schmitt Call for Investigation of Pentagon’s Phone Systems](/endpoint-security/wyden-and-schmitt-call-for-investigation-of-the-pentagon-s-failure-to-secure-its-phone-systems-against-foreign-spies)[Wyden and Schmitt Call for Investigation of Pentagon’s Phone Systems](/endpoint-security/wyden-and-schmitt-call-for-investigation-of-the-pentagon-s-failure-to-secure-its-phone-systems-against-foreign-spies) Dec 4, 2024 2 Min Read Reports* [Managing Third-Party Risk Through Situational Awareness](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_cybo171&ch=&cid=_analytics_7.300006016&_mc=_analytics_7.300006016)Jul 31, 2024* [2024 InformationWeek US IT Salary Report](https://iw-resources.informationweek.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_ingg253&ch=sbx&cid=_analytics_7.300006014&_mc=_analytics_7.300006014)May 29, 2024[More Reports](/resources?types=Report) White Papers* [Enterprise Key Management Buyer’s Guide](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7446&ch=SBX&cid=_whitepaper_14.500005844&_mc=_whitepaper_14.500005844)* [The Future of Cybersecurity is Passwordless and Keyless](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7445&ch=SBX&cid=_whitepaper_14.500005843&_mc=_whitepaper_14.500005843)* [Top 10 CI/CD Security Risks: The Technical Guide](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_palo248&ch=SBX&cid=_whitepaper_14.500005835&_mc=_whitepaper_14.500005835)* [Frost Radar: Cloud Security Posture Management, 2024](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_palo247&ch=SBX&cid=_whitepaper_14.500005834&_mc=_whitepaper_14.500005834)* [How to Use Threat Intelligence to Mitigate Third-Party Risk](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_cybo172&ch=&cid=_whitepaper_14.500005744&_mc=_whitepaper_14.500005744)[More Whitepapers](/resources?types=Whitepaper) Events* [Cybersecurity Outlook 2025](https://darkreading.tradepub.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7201&ch=SBX&cid=_session_16.500326&_mc=_session_16.500326)Dec 5, 2024[More Events](/events)

Related Tags:
NAICS: 921 – Executive

Legislative

Other General Government Support

NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 52 – Finance And Insurance

NAICS: 92 – Public Administration

NAICS: 523 – Securities

Commodity Contracts

Other Financial Investments And Related Activities

NAICS: 522 – Credit Intermediation And Related Activities

Blog: Dark Reading

Software Discovery: Security Software Discovery

Associated Indicators: