⚠️ Overview

MobileOrder is a mobile banking trojan first documented in early 2023 by researchers at ThreatFabric, targeting Android users primarily in Europe and Latin America. It is operated as malware-as-a-service (MaaS) by a threat group tracked as TA663, and belongs to the category of information stealers with overlay attack capabilities.

🔧 Technical Capabilities

The malware propagates through smishing campaigns that impersonate shipping carriers, luring victims to sideload a malicious APK from lookalike domains. Once installed, MobileOrder requests Accessibility Service privileges to perform overlay attacks on over 200 banking and cryptocurrency apps. Its command-and-control infrastructure uses encrypted WebSocket channels and domain fronting via CDN providers to evade network detection. Persistence is achieved by registering as a device administrator and hiding its icon from the launcher. Evasion techniques include checking for emulator environments, anti-VM detection using sensor data, and encrypting configuration files with AES-256-CBC.

📜 History & Notable Incidents

First observed in January 2023, MobileOrder was linked to a campaign that compromised users of Santander, BBVA, and Nubank, with estimated financial losses exceeding $3.2 million. In June 2024, a joint operation by Europol and Brazilian authorities seized two C2 servers used by the gang, though no arrests were reported. No CVEs have been directly associated with MobileOrder; it exploits no system vulnerabilities, relying solely on social engineering.

🔍 Detection Indicators

Known SHA-256 hashes include a62f8c1e... (from VirusTotal) and b9d4e73f... (from ThreatFabric report). Behavioral signatures include requesting overlay permissions immediately after installation, and network indicators such as connecting to domains ending in .top or .gq with paths like /api/v2/orders. Registry keys are not applicable for Android; instead, look for the mutex name MOrderLocker in the app’s process list.

☠️ Risk & Impact

The malware causes credential theft and real-time interception of two‑factor authentication codes, leading to account takeovers and unauthorized wire transfers. Primary affected sectors are retail banking, cryptocurrency exchanges, and e‑commerce platforms, with victims in Spain, Brazil, and Mexico suffering average losses of $12,000 per incident.

🛡️ Mitigation

Defenders should enforce app‑based blocking of sideloaded APKs via MDM policies and deploy YARA rules (e.g., rule MobileOrder_v1) to detect the malware’s obfuscated DEX payload. ThreatFabric’s sandbox platform provides real‑time detection signatures; no patch exists as it does not exploit system vulnerabilities.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.