MysteryBot malware combines the features of banking trojan, keylogger and ransomware
The experts of ThreatFabric company found a mobile malware MysteryBot, which attacks devices running on Android 7 and 8. The new threat combines the functions of banking Trojan, keylogger and ransomware.
Researchers report that MysteryBot is definitely connected with another malware, that is LokiBot bank Trojan, as indicated the similarities found in the source code. In addition, this new malware uses the same controlling server and specialists have already detected it among recent malicious campaigns. It remains unclear why did the authors of LokiBot switch to the development of a new malware. Perhaps the leakage of the LokiBot source code, which occurred a few months ago, was the reason for doing it. After such an incident, several hacker groups began to use this Trojan.
Specialists write that MysteryBot greatly differs from its predecessor, as well as from competing bankers for Android (for example, ExoBot 2.5, Anubis II, DiseaseBot, CryEye). According to ThreatFabric data, MysteryBot is the first banking Trojan with ability to correctly display overlays on Android 7 and 8.
Overlays have long been used by virus writers and help them to display fake login pages or input forms above other legitimate applications windows. But after the release of Android 7 and 8, cybercriminals had some problems, as Google engineers added new protection mechanisms to their OS. After that, the malware developers couldn`t make overlays to appear on the screen of infected device in time, as they lost the possibility to track when the victim runs an application on his device.
According to ThreatFabric investigation, the authors of MysteryBot sorted out this problem. They use the PACKAGE_USAGE_STATS permission to display overlays on time. In such a way Android displays the usage statistics of this application and hackers indirectly get other information about the current application.
The unique feature of keylogger
This malware is also equipped with the keylogger function, rather unusual one. When the user types text on the on-screen keyboard, MysteryBot doesn`t take screenshots for each letter, but relies on recording touch gestures. Malware records the image of touch gestures, compares it with the screen keyboard of the victim and based on this information, it comes to conclusions about the text being typed.
MysteryBot and its imperfect extortion module
MysteryBot is equipped with extortion functionality that is obviously derived from LokiBot. Researchers say that the malware can block the user`s files on external storages. In this case, it doesn`t encrypt the files themselves, but places them in separate ZIP archives, each of which is password protected.
According to experts` point of view, the extortion module isn`t effective enough, for example, the length of archives` passwords is equal to 8 characters only, that is, they are quite easy to crack. In addition, password and unique ID for each victim are sent to Myster_L0cker remote control panel. However, the ID is only a number from 0 to 9999, and before sending, there is no verification of the existing ID anymore. That is, the passwords of some victims can be easily overwritten by new victims as soon as the ID is synchronized with the MysteryBot backend.
MysteryBot is disguised as Flash Player for Android
According to analysts of ThreatFabric, there is no distribution campaign of MysteryBot yet, and the malware is still under development. However, experts predict that the distribution methods will be the same as the previous ones of LokiBot: SMS spam and phishing emails.
Experts remind that it`s better to download applications only from the official Google Play Store, and the user should also be suspicious of products that request permission to use Accessibility service.