Security researchers have identified a fresh Android banking trojan, dubbed MaliBot, developed to go after cryptocurrency wallets and online banking users. The discovery highlights a malware strain that broadens the typical data theft regime to include device-state monitoring and user activity tracking, enabling attackers to map how a victim uses their phone.
Beyond stealing basic device information, MaliBot records user actions on the smartphone. It can track calls, messages, app launches and removals, and SMS activity. The malware also deploys overlay and input-injection techniques to deceive users and capture credentials. These capabilities create a multi-layered threat, mixing information theft with real-time interaction manipulation.
The standout feature of MaliBot is its focus on crypto security and two-factor authentication. It is designed to siphon data from crypto wallets and to intercept authentication codes, including those generated by Google Authenticator. It can capture cookies, bypass Google’s two-step verification, gain remote control of the device, and take screenshots to aid credential theft. The combination of credential interception and remote access significantly raises the risk to crypto users and financial accounts.
Initial distribution appears to rely on deceptive sites offering fake apps that masquerade as legitimate tools. Among the impersonations cited are a knockoff CryptoApp wallet, a spoofed security site, and even a counterfeit version of a common browser. The chamfered social engineering approach makes MaliBot appear familiar, lowering the barrier to installation for unsuspecting users.
There is evidence that MaliBot is a modified variant of a prior banking trojan. The adaptation suggests a trend toward reusing proven attack frameworks, enhanced with crypto-targeted capabilities to widen impact. The geographic pattern observed so far shows a higher incidence among users of certain European financial services, with UniCredit and Santander-branded banking channels mentioned in early reports (F5 Labs).
Commentary from security researchers notes that a sizable portion of Android devices may be at risk due to ongoing rapid changes in software support and device security postures. This dynamic environment underscores the importance of prompt security hygiene, regular app updates, and careful scrutiny of app sources to reduce exposure to MaliBot and similar threats. It also points to the need for robust mobile multi-factor authentication practices and device-level protections that can limit attacker access (F5 Labs).