Critical alert: Malware threatens Android banking security in Morocco

Morocco’s General Directorate for Information Systems Security (DGSSI) has raised alarms over a sophisticated malware targeting Android smartphones. The malware, identified as “BTMOB RAT,” was first detected in February and is primarily designed to harvest sensitive information, including banking data.

According to the DGSSI's alert issued recently, this Remote Access Trojan (RAT) is disseminated through phishing websites and malicious applications that may appear on the Google Play Store.

What heightens the concern surrounding this threat is its exploitation of Android’s accessibility services, allowing it to gain legitimate permissions while circumventing the system’s security measures. The malware utilizes advanced methods to maintain ongoing access to compromised devices. Once installed, BTMOB RAT can interact with the user interface to collect sensitive information displayed on the screen, including login credentials, private messages, and banking details. Additionally, it monitors the clipboard, capturing temporarily stored data such as passwords and payment information.

“These services are designed to assist users with specific needs, but when exploited by malware, they enable security restrictions to be bypassed,” notes the Center for Monitoring, Detection, and Response to Computer Attacks.

Operating discreetly in the background, this malware can evade detection by conventional antivirus solutions. This warning emerges amidst escalating concerns regarding digital financial security in Morocco. Last March, cybersecurity firm Cypherleak reported that data from over 31,000 Moroccan bank cards was found for sale on dark web marketplaces, with more than 5,500 cards still active and at risk of fraud.

Experts indicate that BTMOB RAT is being marketed as “Malware-as-a-Service” (MaaS), allowing various cybercriminals to purchase or lease it for their malicious endeavors, significantly amplifying its distribution and potential impact. Estimates from Kaspersky and Lookout Mobile Security indicate that over 500,000 instances of malware exploiting Android accessibility features were recorded in 2024.

This trend is particularly alarming, as users often enable these services for practical purposes such as screen reading or voice navigation. Kaspersky revealed last April that Morocco ranks third among African nations contending with web-based threats, with a staggering 12.6 million attack attempts documented in 2024, trailing only Kenya and South Africa.

The DGSSI advises the integration of compromise indicators into detection systems and urges immediate notification to the Moroccan Computer Emergency Response Team (maCERT) if any related activity is detected. Users are encouraged to exercise vigilance when downloading applications, scrutinize the permissions granted to apps, and regularly monitor for suspicious activities in their Android settings.

This alert is part of a broader increase in mobile cyberattacks. In 2023, Zimperium reported a 51% rise in attacks targeting Android globally, particularly in emerging nations with developing digital infrastructures.