Researchers at Cleafy have discovered a new Android banking trojan called “DroidBot” that steals login information for more than 77 cryptocurrency exchanges and banking apps.

DroidBot has been active since June 2024 as a malware-as-a-service (MaaS) platform. Criminals who want to use DroidBot pay a monthly subscription fee of $3,000.

So far, 17 groups have been identified that used malware for attacks with the help of malware creators. Malware infections have been detected across the UK, Italy, France, Turkey and Germany, but Cleafy warns that there are indications of attempts to spread the malware to new regions.

The developers of DroidBot are most likely Turkish, who provide collaborators with all the necessary tools to carry out attacks. This includes the malware itself, command and control (C2) servers, and a central administrative panel from which they can control their operations, retrieve stolen data, and issue commands.

Malware can record the victim’s keystrokes, display fake login pages through banking application interfaces, intercept SMS messages, especially those containing one-time passwords (OTPs) for banking applications, allow attackers to remotely view and control infected device, execute commands and dim the screen to hide the malicious activity.

DroidBot uses Android access services to track what the victim is doing on the device and simulates swiping and tapping movements.

Among the 77 apps that DroidBot is trying to steal passwords for are Binance, KuCoin, BBVA, Unicredit, Santander, Metamask, BNP Paribas, Credit Agricole, Kraken and Garanti BBVA.

Android users are advised to download apps only from Google Play, review permission requests after installation and check if Play Protect is active on their devices.