MysteryBot

Cybercriminals are currently developing a new strain of malware targeting Android devices which blends the features of a banking trojan, keylogger, and mobile ransomware.

Named MysteryBot, this malware strain is still under development, according to security researchers from ThreatFabric, who recently ran across this new threat.

MysteryBot has connections to LokiBot

ThreatFabric says MysteryBot appears to be related to the well-known and highly popular LokiBot Android banking trojan.

"Based on our analysis of the code of both Trojans, we believe that there is indeed a link between the creator(s) of LokiBot and MysteryBot," a ThreatFabric spokesperson told Bleeping Computer via email today.

"This is justified by the fact that MysteryBot is clearly based on the LokiBot bot code," the spokesperson added.

Furthermore, according to a report the company published yesterday, the recent MysteryBot malware sends data to the same command and control (C&C) server used in a past LokiBot campaign, clearly suggesting they are being controlled and developed by the same person or group.

The reasons why the LokiBot group is now developing MysteryBot are unknown, but they may be related to the fact that the LokiBot source code leaked online a few months back.

Several cyber-crime groups have jumped on the LokiBot code and are also using it now, and the LokiBot crew may be trying to come up with a new malware family they can market on underground forums like they did with the original LokiBot.

"To our knowledge, MysteryBot is not advertised in underground forums at the moment, probably due to the fact that it is still under development," ThretFabric told us.

It also appears that the authors of MysteryBot are taking the job of creating something new and worth paying for seriously.

MysteryBot can operate on Android 7 and Android 8

ThreatFabric says MysteryBot is unique in many ways compared to LokiBot, but also with other Android banking malware such as ExoBot 2.5, Anubis II, DiseaseBot, or CryEye.

For starters, MysteryBot appears to be the first banking malware that can reliably show "overlay screens" on Android 7 and Android 8.

Banking malware uses these overlay screens to show fake login pages on top of legitimate apps. Due to the security features Google engineers added in Android 7 and 8, no malware was able to show overlay screens on these OS versions in a consistent manner.

The problem was that previous malware strains showed the overlay screens at the wrong time because they couldn't detect when the user was viewing an app on his screen and would miscalculate the time when it should show the overlay, giving away its presence by prompting the user to log in at the wrong time.

MysteryBot banking module abuses Usage Access permission

According to ThreatFabric, the MysteryBot team appears to have found a reliable way to time its overlay screens at show them at the proper time when the user opens and brings an app into the foreground.

They did this by abusing the Android PACKAGE_USAGE_STATS permission (commonly named Usage Access permission), an Android OS feature that shows usage stats about an app, and indirectly leaks details about the currently used app.

The current, in-dev version of MysteryBot includes custom-made "overlay screens" for a slew of mobile e-banking (from Australia, Austria, Germany, Spain, France, Croatia, Poland, Romania) and IM apps such as Facebook, WhatsApp and Viber (listed in full in the ThreatFabric report).

The malware targets over 100 apps in total, and researchers expect MysteryBot to bolster its screen overlay arsenal in the coming weeks.

A very unique keylogger component

Furthermore, the malware also comes with a keylogger component, which is also unique when compared to other keyloggers found on the Android market.

Researchers say that instead of taking screenshots at the moment the user presses a key on the touch-based keyboard to determine what the user is typing, MysteryBot records the location of a touch gesture instead.

This new keylogger component then tries to guess what key the user has pressed based on the touch gesture's screen position on a virtual keyboard the malware imagines the user is using.

ThreatFabric says this component isn't working just yet, as current versions don't do anything with the logged data, such as sending it to a remote server.

MysteryBot contains a faulty ransomware module

Last but not least, just like LokiBot before it, MysteryBot also contains a ransomware module. ThreatFabric says this ransomware module allows crooks to lock all the user's files stored on external storage devices.

The ransomware doesn't encrypt files but locks each one in an individual password-protected ZIP archive.

Researchers say the ransomware module is quite shoddy coded. For starters, the ZIP archive password is only eight characters long, meaning it could be very easily brute-forced.

Second, this password and the user's custom-generated infected device ID are sent to a remote control panel named Myster_L0cker (image below).

The problem is that the ID assigned to each victim can be a number between 0 and 9999 only, and there's no verification of pre-existing IDs when sent to the remote control panel.

Passwords for older victims can be easily overwritten on the control panel when a new victim with the same ID syncs to the MysteryBot backend.

MysteryBot control panel

MysteryBot disguised as a Flash Player for Android

ThreatFabric says the current versions of MysteryBot it spotted until now have been disguised as a Flash Player app for Android.

"In general, the consumer must be aware that all of the so called 'Flash Player (update) apps' that can be found in and outside the various app stores are malware," ThreatFabric told Bleeping Computer.

"Many web sites still require visitors to have support for Flash (which has not been available on Android for many years) causing Android users to try and find an app that will let them use that web site," the spokesperson added. "In the end they will just end up installing malware."

While MysteryBot is currently not in circulation, ThreatFabric told us that LokiBot was previously spread via SMS spam (smishing) and emails (phising) containing links to an Android app. Users were supposed to side-load this malicious app and then grant the app access to the Android Accessibility service before the malware could do any damage. It is safe to say that MysteryBot may be distributed in the same way, based on the existing connections to the LokiBot crew.

Don't grant apps access to the Accessibility service

Experts recommend that users avoid side-loading (installing) apps from outside the Play Store, and avoid granting apps access to the Accessibility service, which in the vast majority of cases is used mostly by malware.

In its current form, MysteryBot still needs access to the Accessibility service, which it uses for its keylogger and ransomware components.

The malware also uses access to the Accessibility service to grant itself permission to access the PACKAGE_USAGE_STATS feature without prompting the user. This means that users may still be able to spot MysteryBot before getting infected when they're prompted to allow an app access to the highly-privileged Accessibility service.

Furthermore, users should also pay attention to what they're downloading from the Play Store as well.

"There are still many droppers on the Google Play Store as it seems to be an efficient mean of distribution," ThreatFabric said. "However, most Android banking Trojans seem to be distributed via smishing/phishing & side-loading."

You may not be getting a banking trojan, but you're getting malware nevertheless.

Related Articles:

Emotet Trojan Begins Stealing Victim's Email Using New Module

New Reports Show Increased CyberThreats, User Risks Remain High

Cheap Android Phones and Poor Quality Control Leads to Malware Surprise

Danabot Banking Malware Now Targeting Banks in the U.S.

Trojanized App In Google Play Steals Bank Customers' Euros