Trojan-as-a-Service Hits Euro Banks, Crypto Exchanges

NEWS BRIEF

A fierce Android remote access Trojan (RAT), dubbed "DroidBot," is using spyware features like keylogging and monitoring, as well as inbound and outbound data transmission, to steal data from banks, cryptocurrency exchanges, and other national organizations. But the real concern cybersecurity analysts have about the DroidBot banking Trojan is its apparent expansion into a full-on malware-as-a-service operation.

Researchers behind the discovery warned the DroidBot RAT has been active since mid-2024 and is already in heavy rotation among at least 17 affiliate groups, and has been used in 77 cyberattacks on organizations in France, Italy, Portugal, and Spain, according to a report from Cleafy. Further, evidence indicates the DroidBot Android banking Trojan is being continuously updated and is possibly on the precipice of spilling over into Latin America.

Analysis showed the developers are native Turkish speakers but have started to expand into Spanish-speaking countries, which researchers said was a sign of the operation's intent to expand into Central and South America.

"Inconsistencies observed across multiple samples indicate that this malware is still under active development," the report said. "These inconsistencies include placeholder functions, such as root checks, different levels of obfuscation, and multi-stage unpacking. Such variations suggest ongoing efforts to enhance the malware's effectiveness and tailor it to specific environments."

Android Banking Trojan-as-a-Service Emerges

In order to drop DroidBot, adversaries hide the malware in malicious banking applications and other ubiquitous applications, the researchers said, which is hardly new.

The RAT's novelty, according to the researchers, is the use of surveillance tools including SMS message interception, keylogging, and periodically capturing screen shots of the victim device. The malware also leverages accessibility services to allow threat actors to remotely execute commands and operate the victim's device.

"Moreover, it leverages dual-channel communication, transmitting outbound data through MQTT and receiving inbound commands via HTTPS, providing enhanced operation flexibility and resilience," the report explained. "Recent examples of Android banking Trojans adopting this protocol include Copybara and BRATA/AmexTroll."

Technical specs aside, Cleafy researchers raised the alarm that the rise of what appears to be a new banking RAT-as-a-service business model is a significant shift in the threat landscape.

"[W]hile the technical difficulties are not so high, the real point of concern lies in this new model of distribution and affiliation, which would elevate the monitoring of the attack surface to a whole new level," the report said. "This could be a critical point, as changing the scale of such an important data set could significantly increase the cognitive load."