It is more and more common to see new bank account theft methods through malware on mobile devices. The last of them discovered is the new nightmare for Santander and CaixaBank customers in Spain who use Android devices. And it is that hundreds of cases of data theft have already been reported.

This malware, known as MaliBot, is active in Spain and Italy, and it is a new form of bank account theft, being a new danger for those who have Android devices and are from Santander or CaixaBank. And it is that in this case, multifactor authentication is of little use.

A malware with the ability to have total control of the mobile

MaliBot can break into user security in various ways. It is capable of collecting user cookies, bypassing two-factor authentication codes to log into accounts, and even control the device remotely. This allows the attacker to gain control of online banking applications.

As we have mentioned, this malware is active in both Spain and Italy, and hundreds of users have already reported this new way of stealing information.





As F5, a company specialized in cybersecurity and applications, has been able to warn, malware is being controlled from Russiaand its attackers use the same servers they used with Sality, a classic Trojan dating back to 2003.

The company has detected that MaliBot is also capable of stealing cryptocurrency wallets, SMS, accessing our screen recording, and even running or deleting applications, among other things. Basically, once injected into the device, the attacker has full control of the device.

Malware can be found in cryptocurrency mining apps like ‘Mining X’ or ‘The CryptoApp’. According to F5, other times it also hides under the name ‘MySocialSecurity’ and even ‘Chrome’. The distribution of this malware goes through web pages where the user is tricked into downloading MaliBot, or through SMS phishing, where a download link appears that takes us to this malware.

This malware uses smishing techniques to spread it on our Android mobile device. Once injected, through background processes, it is capable of acting through C2 commands, activating permissions and stealing information on the screen while the device is being used.

As in practically all similar cases, the user is recommended to always have their mobile device updated, not to download applications of dubious origin, nor enter suspicious links from SMSa path in which more and more users fall.