Cybercriminals are currently developing a new strain of malware targeting Android devices which blends the features of a banking trojan, keylogger, and mobile ransomware.

Named MysteryBot, this malware strain is still under development, according to security researchers from ThreatFabric, who recently ran across this new threat.

MysteryBot has connections to LokiBot

ThreatFabric says MysteryBot appears to be related to the well-known and highly popular LokiBot Android banking trojan.

“Based on our analysis of the code of both Trojans, we believe that there is indeed a link between the creator(s) of LokiBot and MysteryBot,” a ThreatFabric spokesperson told Bleeping Computer via email today.

“This is justified by the fact that MysteryBot is clearly based on the LokiBot bot code,” the spokesperson added.

Furthermore, according to a report the company published yesterday, the recent MysteryBot malware sends data to the same command and control (C&C) server used in a past LokiBot campaign, clearly suggesting they are being controlled and developed by the same person or group.

The reasons why the LokiBot group is now developing MysteryBot are unknown, but they may be related to the fact that the LokiBot source code leaked online a few months back.

Several cyber-crime groups have jumped on the LokiBot code and are also using it now, and the LokiBot crew may be trying to come up with a new malware family they can market on underground forums like they did with the original LokiBot.

“To our knowledge, MysteryBot is not advertised in underground forums at the moment, probably due to the fact that it is still under development,” ThretFabric told us.

It also appears that the authors of MysteryBot are taking the job of creating something new and worth paying for seriously.


MysteryBot can operate on Android 7 and Android 8

ThreatFabric says MysteryBot is unique in many ways compared to LokiBot, but also with other Android banking malware such as ExoBot 2.5, Anubis II, DiseaseBot, or CryEye.

For starters, MysteryBot appears to be the first banking malware that can reliably show “overlay screens” on Android 7 and Android 8.

Banking malware uses these overlay screens to show fake login pages on top of legitimate apps. Due to the security features Google engineers added in Android 7 and 8, no malware was able to show overlay screens on these OS versions in a consistent manner.

The problem was that previous malware strains showed the overlay screens at the wrong time because they couldn’t detect when the user was viewing an app on his screen and would miscalculate the time when it should show the overlay, giving away its presence by prompting the user to log in at the wrong time.


MysteryBot banking module abuses Usage Access permission

According to ThreatFabric, the MysteryBot team appears to have found a reliable way to time its overlay screens at show them at the proper time when the user opens and brings an app into the foreground.

They did this by abusing the Android PACKAGE_USAGE_STATS permission (commonly named Usage Access permission), an Android OS feature that shows usage stats about an app, and indirectly leaks details about the currently used app.

The current, in-dev version of MysteryBot includes custom-made “overlay screens” for a slew of mobile e-banking (from Australia, Austria, Germany, Spain, France, Croatia, Poland, Romania) and IM apps such as Facebook, WhatsApp and Viber (listed in full in the ThreatFabric report).

The malware targets over 100 apps in total, and researchers expect MysteryBot to bolster its screen overlay arsenal in the coming weeks.


A very unique keylogger component

Furthermore, the malware also comes with a keylogger component, which is also unique when compared to other keyloggers found on the Android market.

Researchers say that instead of taking screenshots at the moment the user presses a key on the touch-based keyboard to determine what the user is typing, MysteryBot records the location of a touch gesture instead.

This new keylogger component then tries to guess what key the user has pressed based on the touch gesture’s screen position on a virtual keyboard the malware imagines the user is using.

ThreatFabric says this component isn’t working just yet, as current versions don’t do anything with the logged data, such as sending it to a remote server.


MysteryBot contains a faulty ransomware module

Last but not least, just like LokiBot before it, MysteryBot also contains a ransomware module. ThreatFabric says this ransomware module allows crooks to lock all the user’s files stored on external storage devices.

The ransomware doesn’t encrypt files but locks each one in an individual password-protected ZIP archive.

Researchers say the ransomware module is quite shoddy coded. For starters, the ZIP archive password is only eight characters long, meaning it could be very easily brute-forced.

Second, this password and the user’s custom-generated infected device ID are sent to a remote control panel named Myster_L0cker (image below).

The problem is that the ID assigned to each victim can be a number between 0 and 9999 only, and there’s no verification of pre-existing IDs when sent to the remote control panel.

Passwords for older victims can be easily overwritten on the control panel when a new victim with the same ID syncs to the MysteryBot backend.


Original Source: Catalin Cimpanu /June 14, 2018


About author

Gloria McCutchen
Gloria McCutchen
Chairman & CEO of G2M.US since 1999. I have worked with computers for more than 20 years and have 10 years of experience as a teacher in this area. I have a Bachelor Degree in Computer Engineering and I have a Master’s Degree in Cyber Security. I'm a Digital Marketing Specialist. I have Postgraduate in Pedagogical Education
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *