DroidBot

Malware

⚠️ Overview

DroidBot is an Android banking trojan first publicly documented in November 2024 by Cleafy’s TIR team, attributed to a Turkish-speaking threat actor known as TANGO. The malware is distributed as a Malware-as-a-Service (MaaS) and primarily functions as an overlay-based credential stealer and remote access trojan (RAT) targeting financial applications.

🔧 Technical Capabilities

DroidBot uses overlay attacks to capture banking credentials by displaying fake login screens over legitimate apps, leveraging Android’s Accessibility Service for input interception and screen content extraction. It communicates with a command-and-control (C2) server via WebSocket connections using the MQTT protocol for real-time command execution, including SMS interception, contact exfiltration, and keylogging. The malware achieves persistence by requesting device admin privileges and hiding its icon from the app drawer. Evasion techniques include obfuscated code, dynamic loading of malicious payloads from remote servers, and checking for emulator environments or debugging tools before executing core functions.

📜 History & Notable Incidents

First observed in early November 2024, DroidBot rapidly spread through malicious Android APKs disguised as utility or security apps, primarily targeting users in the United Kingdom, Italy, Spain, and Turkey. By December 2024, Cleafy reported over 100 distinct C2 servers and 23 affiliate groups actively using the malware platform, though no high-profile victim disclosures or CVEs have been directly associated with the family as of early 2025.

🔍 Detection Indicators

Known indicators include package names such as com.secure.vpn and com.naxa.app, C2 domains using .top and .xyz TLDs, and network traffic over port 443 with WebSocket handshakes containing MQTT payloads. Behavioral signatures include repeated requests for Accessibility Service enabling, overlay windows appearing on banking apps, and SMS message forwarding to attacker-controlled numbers.

☠️ Risk & Impact

DroidBot enables theft of online banking credentials, two-factor authentication codes, and personal identifiable information (PII), leading to fraudulent transactions and account takeovers. The primary impact is financial losses for individual banking customers, with the MaaS model lowering the barrier for entry-level cybercriminals to conduct targeted campaigns against European and Turkish financial institutions.

🛡️ Mitigation

Mitigation measures include blocking installation of apps from untrusted sources, disabling Accessibility Service for suspicious applications, and deploying mobile threat defense (MTD) solutions that detect DroidBot’s behavioral patterns (e.g., Cleafy’s detection rules for MQTT C2 traffic). Android users should keep devices updated and avoid granting Device Admin privileges to unknown apps.

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.