Skip to content

New MaliBot Android malware can bypass multifactor authentication

  • by
  • 2 min read

A new Android malware, dubbed MaliBot, can steal passwords, bank details and cryptocurrency wallets from Android devices bypassing multi-factor authentication protocols in the process. 

This new malware, found by security researchers at F5 Labs, is distributed using SMS phishing or luring customers to malicious websites. In both cases, users are prompted to tap a link that downloads the malware onto their device. Here’s everything the malware can do:

  • Web injections/overlay attacks
  • Stealing crypto wallets (Binance, Trust)
  • Stealing 2FA/MFA codes
  • Stealing browser cookies
  • Access and send SMS messages
  • Bypassing Google’s two-step authentication
  • VNC access and a screen capture of the infected device 
  • Logging successful and failed operations, including calls, SMS and any errors
  • Information gathering on the infected device, including IP, AndroidID, model, language, installed apps, screen and locked states. 
Photo by Morrowind/

So far, the researchers have noticed two campaigns pushing the malware, namely “Mining X” and “TheCryptoApp”. Both campaigns have a website with a download link to the malware.

Out of the two campaigns, the TheCryptoApp campaign impersonates a legitimate app with the same name that has over one million downloads on the Google Play Store. To further hide the app, the website only downloads the malware if it’s accessed from an Android device; otherwise, it redirects the user to TheCryptoApp’s Google Play page. 

Once the malware reaches the device, it asks the victim to provide accessibility and launcher permissions. These permissions let the malware monitor the device and perform malicious activity, including stealing passwords, bank details and multi-factor authentication codes. 

MaliBot uses the accessibility permissions granted by the user to tap the ‘Yes’ button on any prompts asking the user if they’re signing in to a service. Additionally, since the malware has launcher permissions, it can hide any prompts under overlays. 

Currently, both campaigns only target customers of Spanish and Italian banks, but researchers warn of a much wider range of targets to be included as the campaign grows further. Additionally, given the amount of control the malware gains over the infected device, we could see attackers using the malware for more than just stealing credentials and cryptocurrency. 

In the News: Samsung is bringing back its wallet, with crypto; merges Pay and Pass


Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: [email protected].