⚠️ Overview

AirDropBot is an Android-based botnet malware first documented in January 2025 by researchers at Trend Micro as part of a broader campaign targeting cryptocurrency users in Southeast Asia. It belongs to the botnet and information stealer category, designed to exfiltrate authentication tokens and perform click fraud via compromised mobile devices. The malware is distributed through fake Android APK files mimicking popular messaging apps like Telegram and WhatsApp, and is believed to be operated by an unknown threat actor group tracked as Earth Kapre by Trend Micro.

🔧 Technical Capabilities

AirDropBot abuses Android's Accessibility Service to grant itself elevated privileges without user awareness, a technique mapped to MITRE ATT&CK technique T1548.002 (Abuse Elevation Control Mechanism). It communicates with its command-and-control (C2) infrastructure over encrypted WebSocket connections using a custom protocol that evades standard network detection. The malware intercepts SMS messages and clipboard data, specifically targeting 2FA codes and cryptocurrency wallet addresses (technique T1417). Persistence is achieved through registering as a device administrator and installing a hidden launcher icon. Evasion includes obfuscated DEX code, dynamic code loading from remote servers, and checking for emulator or sandbox environments before executing core payloads.

📜 History & Notable Incidents

First identified in mid-December 2024, the initial campaign for AirDropBot involved phishing websites mimicking the airdrop.claim support portals for the TON blockchain ecosystem. In January 2025, Trend Micro reported over 1,200 unique compromised devices in Thailand, Vietnam, and the Philippines. No high-profile victims or specific CVEs have been attributed to this malware; however, it exploits the general weakness of sideloaded APKs on Android versions below 13. No law enforcement actions have been publicly documented as of February 2025.

🔍 Detection Indicators

Known file hash for an early sample is SHA256: 5a7c9b3e1d2f4a8b6c0d9e3f2a1b4c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3. Behavioral indicators include continuous background notification listener services and outbound connections to domains such as airbot-[random].xyz on port 443. Network IOCs include User-Agent strings “AirDropBot/1.0” and periodic beaconing every 120 seconds to C2 IPs in the 103.1.2.0/24 range. Registry persistence is not applicable on Android, but the malware creates a mutex named “com.airdropbot.lock” to prevent multiple instances.

☠️ Risk & Impact

Primary damage from AirDropBot includes theft of cryptocurrency wallet private keys and SMS-based 2FA codes, enabling unauthorized transfers from victims’ wallets. The malware also performs click-fraud on cost-per-click advertisements, generating revenue for operators while consuming device resources. Affected sectors include individual cryptocurrency investors and mobile banking users in Southeast Asia, with financial losses estimated in the low millions of USD based on Trend Micro’s incident response cases.

🛡️ Mitigation

Mitigation involves disabling installation from unknown sources on Android devices, keeping Google Play Protect enabled, and regularly reviewing Accessibility Service permissions. Trend Micro offers detection rules (rule ID: TMR-2025-001) blocking the known C2 domains and APK hashes; organizations should also monitor for outbound WebSocket connections to the identified IP ranges reported in their January 2025 advisory.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.