MysteryBot Android malware aims at banking apps

Security researchers from ThreatFabric have discovered an experimental form of Android malware that is still under development. According to the researchers, the new malware blends the features of a banking trojan, keylogger, and ransomware that targets Android devices running on 7.0 or 8.0.

Dubbed as MysteryBot, this malware bears striking similarities to the infamous LokiBot that created havoc last year albeit with new tricky features. This means it’s likely that it was developed by the same malware developer. Initially, thought as a revised version of LokiBot, the researchers found that the malware had much more stored in it.

“During investigation of its network activity we found out that MysteryBot and LokiBot Android banker are both running on the same C&C [command and control] server. This quickly brought us to an early conclusion that this newly discovered Malware is either an update to Lokibot, or another banking Trojan developed by the same actor,” ThreatFabric stated in a blog post.

MysteryBot exhibits exceptional capabilities, taking complete control of the affected device. It is capable of performing various malicious activities,  such as it can make phone calls, steal contact information, copy text messages, forward incoming calls to another device, and work as a keylogger. It can also encrypt all the device files in the external storage and delete all contact information on the device.

The malware enters the device by disguising itself as an Adobe Flash Player app for Android. “In general, the consumer must be aware that all of the so called ‘Flash Player (update) apps’ that can be found in and outside the various app stores are malware,” ThreatFabric told Bleeping Computer.



“Many web sites still require visitors to have support for Flash (which has not been available on Android for many years) causing Android users to try and find an app that will let them use that website,” the spokesperson added. “In the end they will just end up installing malware.”

Explaining further, the researchers said, “A new technique has been conceived and is currently being used, it abuses the Android PACKAGE_USAGE_STATS permission (commonly named Usage Access permission). The code of MysteryBot, has been consolidated with the so-called PACKAGE_USAGE_STATS technique. Because abusing this Android permissions requires the victim to provide the permissions for usage, MysteryBot employs the popular AccessibilityService, allowing the Trojan to enable and abuse any required permission without the consent of the victim.”

The main aim of the MysteryBot malware is reportedly to target banking apps, although the malware can do much more than that. MysteryBot can carry out mobile banking activities under legal disguise without the victim’s knowledge or consent, making it difficult for the financial institutions to identify malicious activities.w tecnique has been conceived and is currently being used, it abuses the

While MysteryBot is currently not in circulation, LokiBot was previously spread via SMS spam (smishing) and emails (phishing) containing links to an Android app, ThreatFabric told Bleeping Computer.

It is suggested to users that in order to keep their device safe, they install Android apps only from Google Play Store and not any other sources. Also, it is important to know that they’re downloading from the Play Store as well.

“There are still many droppers on the Google Play Store as it seems to be an efficient mean of distribution,” ThreatFabric said. “However, most Android banking Trojans seem to be distributed via smishing/phishing & side-loading.”

Source: Bleeping Computer