ThreatFabric has found a new Android malware called MysteryBot, which is quite similar to the Android banking trojan LokiBot. As per the report, MysteryBot is a keylogger, banking trojan, and ransomware that is being considered an updated version of LokiBot as the two malwares were detected under the same sample by ThreatFabric’s detection rule and share the same Command and Control (C&C) server. This suggests that both malwares could’ve been made by the same attacker. The malware features some generic Android banking Trojan functionalities like getting contacts and messages saved on a device, and it can also act as a keylogger and save all keystrokes happening on an infected device.
The MysteryBot malware also has commands that enable it to steal emails, and boot the bot remotely. However, it seems that the code for performing these tasks are not present and are presumed to be in development. With Android 7 and 8, screen overlay techniques were rendered useless for malware apps, but the MysteryBot malware comes with overlay modules that actively target devices running on Android versions 7 and 8. For accomplishing this, it makes use of a PACKAGE_USAGE_STATS technique and in order to abuse this Android permission, it employs the popular AccessibilityService, which once granted, gives extensive control over the device. Using overlays, the malware can display fake websites from a wide variety of banks across the world to the user for stealing credentials. After installation, It is listed as a fake version on Adobe Flash Player.
There are a slew of banking apps, which can be affected by the malware for displaying screen overlay, and they are said to be still under development, with more expected to be added over time. Some popular banking apps from India are also on the list such as Axis Mobile, iMobile by ICICI Bank, Facebook, HSBC Mobile Banking, SBI Anywhere Personal, HDFC Bank Mobile Banking, Union Bank Mobile Banking, Baroda mPassbook and more. You can check out the complete list here.
As the malware also functions as a keylogger, ThreatFabric analysed its functionality to find that it was not using any of the known older techniques. In fact, it is said to employ a new and ‘innovative’ technique, which considers the location of each key of the keyboard that has a set location on the screen. This means that it takes touch data into account for keylogging. As mentioned above, the keylogger functionality seems to be still under development as currently there is no method for sending the logs to the server.
The developer of the malware has also been developing ransomware capabilities. The report states that the MysteryBot comes equipped with ransomware feature that enables it to individually encrypt all files in external storage, including every sub-directory, and store them in individual password-protected ZIP archives. The original file is then deleted after encryption and as soon as the files are encrypted, a message accusing the victim of watching pornographic material is displayed. Also, for receiving the password for decrypting the encrypted files, the user is instructed to contact an email, where they are presumed pay for the decryption key.
However, it seems that the ransomware capabilities are not that complex as the passwords used during encryption of files is said to be only eight characters long and consist of only upper and lowercase Latin alphabets that are combined with numbers. This password could be cracked using the brute-force method with enough resources and processing power. Additionally, victims are assigned an ID between 0 and 9999, without any verification of existing IDs. This means that the IDs could be duplicated, resulting in permanent data loss for older victims with duplicate IDs.
Even though some of the capabilities of MysteryBot are underdeveloped, the malware is still a considerable threat. The research states, “The ransomware also includes a new highly annoying capability that deletes the contacts in the contact list of the infected device, something not observed in banking malware till now…The enhanced overlay attacks also running on the latest Android versions combined with advanced keylogging and the potential under-development features will allow MysteryBot to harvest a broad set of Personal Identifiable Information in order to perform fraud.” The malware is currently not widespread and still under development, but after reading about the data it can access and its worrying capabilities, we advise you not to download apps from unknown sources and keep an eye out for apps that ask you for excessive permissions.