MysteryBot Android Malware Combines Banking Trojan, Ransomware, and Keylogger

A new Android malware that combines a banking trojan, a ransomware, and a keylogger has been discovered. Security researchers at ThreatFabric have found the new type of malware that packs all the three threats in one package, and it was earlier thought to be an updated version of LokiBot. But, since the new malware comes with various new features researchers have labelled it as a new form of malware, called MysteryBot. Notably, the MysterBot targets smartphones running Android 7.x or Android 8.x.

As per a blog post by ThreatFabric, the MysteryBot and LokiBot Android malware are "both running on the same C&C server." Since they share the same command and control server, it means that there could be a strong link between the two forms of malware, and they could have been developed by the same attacker. What makes the MysteryBot lethal is its capabilities to take control over users' phone. Apart from having Android banking trojan functionalities, the malware exhibits overlay, keylogging, and ransomware functionalities.

The malware also contains commands for stealing emails and remotely starting apps. However, such tools are not active yet, meaning the malware is still in its development phase. MysteryBot is reportedly able to target the latest Android versions - Nougat and Oreo. Researchers say that the malware uses overlay screens designed to look like real bank site, but are run by attackers.

The researchers also said that a new technique abuses a service permission called 'Package Usage Stats' that is accessible through the Accessibility Service permission in Android phones. This method allows the trojan to enable and abuse any other permission without the user's consent.

The MysteryBot also contains a keylogger. But researchers said that none of the already-known keylogging techniques was used. Instead, the malware calculates the location for each row and places a view over each key.

"This view has a width and height of zero pixels and due to the "FLAG_SECURE" setting used, the views are not visible in screenshots. Each view is then paired to a specific key in such a way that it can register the keys that have been pressed which are then saved for further use," said researchers. However, they added, "The code for this the keylogger seems to still be under development as there is no method yet to send the logs to the C2 server."

The malware also has inbuilt ransomware to individually encrypt all files in the external storage directory, including every subdirectory, after which the original files are deleted. "The encryption process puts each file in an individual ZIP archive that is password protected, the password is the same for all ZIP archives and is generated during runtime. When the encryption process is completed, the user is greeted with a dialog accusing the victim of having watched pornographic material," said researchers.

From the looks of it, MysteryBot is not quite widespread as it is still under development. However, you should be aware of any apps that ask for an excessive number of permissions, and always install apps from trusted sources, such as Google Play.