Newly Discovered Android Malware, DroidBot, Targets 70+ Banking and Crypto Apps

Published on December 5, 2024
Written by:
Novak Bozovic
Novak Bozovic
Tech & VPN Content Specialist

Being a fairly open mobile platform, Android is often affected by data-stealing malware and remote access Trojans. Even though Google is focused on increasing the platform’s resilience, new malware breeds appear more often than ever. The latest malware breed was discovered by Cleafy researchers, targeting banking and crypto apps.

Named DroidBot, this Remote Access Trojan (RAT) operates as a malware-as-a-service (MaaS). It’s available for $3,000 per month, offering less experienced malicious actors the complete set of tools to steal highly sensitive information. This includes the malware builder, command-and-control (C2) servers, and a central admin panel to control operations, extract stolen data, and issue commands.

DroidBot Admin Page
Image Source: Cleafy Labs

DroidBot uses standard decoys to trick users into installing fake apps, which usually present as Google services, generic security apps, or popular banking apps. It takes advantage of Android’s Accessibility Services to perform its functions. That means the user must willingly provide access to these services, usually during the initial installation stages.

DroidBot Overlay
Image Source: Cleafy Labs

Upon granting access to Accessibility Services, DroidBot can perform a wide range of functionalities, including:

Regarding the affected apps, Cleafy notes that 77 banking and crypto apps have been identified as potential targets. Those include Binance, KuCoin, BBVA, Unicredit, Santander, Metamask, BNP Paribas, Credit Agricole, Kraken, Garanti BBVA, and more.

Furthermore, 17 affiliate groups have been identified, revealing a network of botnets and 770+ infections throughout France, Belgium, Spain, Italy, and Turkey, which are the most targeted countries. Infections were also observed in the UK, Norway, Sweden, Finland, Germany, Poland, Greece, and other European countries.

To avoid a DroidBot infection, Android users are advised to download apps only from the Play Store. They should also scrutinize permission requests and make sure “Play Protect” is active on their mobile devices.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: