An innovative type of Android malware fuses a banking trojan, a keylogger, and ransomware and delivers it to unsuspecting victims. The security researchers at ThreatFabric, a security company, discovered this malware. At first, it seemed that this malware is an updated variant of Lokibot. However, the security researches are calling it a new kind of malware because it has several new features.
Still, MysteryBot and LokiBot have the same command and control (C&C) server, revealing a marked connection between the two kinds malware, with the possibility that the same actor has created them.
MysteryBot is also incredibly destructive, loaded with a Trojan that can control the functions of affected equipment, including the capability to access messages, collect contact details, etc.
In addition to that, it can execute commands for stealing mails and starting apps remotely, though these distinct mechanisms do not seem to be working yet, implying that this malicious software is still in the development stage.
Android Malware Targets Most Recent Android Versions
Even though several Android malware groups focus on attacking earlier versions of the Google operating system, this malware can actively target Android 7.0 Nougat and Android 8.0 Oreo using overlay screens intended to seem like legitimate bank websites, but in reality are managed by the actors, the security researchers stated.
Bogus websites of an array of banks across the globe can be presented to the victim, making sure that the hackers can cast a broad net for stealing the banking credentials.
When this malware enters a device and gets activated, it is displayed as a bogus Adobe Flash Player version. Although, security researchers have not described how the malware delivers the payload onto the infected device.
Security researchers state that the malware records keystroke logging in an innovative, unique way, by deciding which key has been hit by its position on the screen in connection with others, a thing it is capable of doing when the keyboard screen is held either horizontally or vertically, the security researchers describe in a post.
Although, just like the other functionalities of this malicious software, the keystroke logger still seems to be under production because at present there is no way for the keystrokes to be saved on the command server.
MysteryBot Possesses Several Abilities
Apart from the capability to affect Android devices with a Trojan horse and a keylogger, the attackers behind this malware are also experimenting with a ransomware feature. This embedded ransomware tool allows the Android malware to encrypt files one by one and save them in a password-protected ZIP archive.
When the file encryption is finished, a communication blames the affected user of having viewed adult content and prompts that the victim should connect to an email address to get the password – and likely pay a fee to gain access.
But the ransomware feature of this malware does not seem to be advanced. It not only needs the victim to contact through email, but its password is merely eight characters in length, which can be easily hacked.
Also, users are allocated an identity between 0 and 9999. Because existing IDs are not verified, it is likely the assailants may reproduce the Ids and make it improbable for affected users to recover data.
However, notwithstanding some of the capabilities of MysteryBot currently in development, the malicious software is still a potential menace.
The improved overlay attacks also working on the newest Android versions such as 7 and 8 coupled with high-level keystroke logging and the possible under-development tools will let MysteryBot garner an extensive assortment of personally identifiable information to conduct identity theft and fraud, recorded researchers.
MysteryBot is not dominant at present, and it is still being developed, but people must be careful of any apps that they install which request for an inordinate amount of permissions.