Android is the most popular operating system for smart gadgets. It’s open-source and packs such a huge power that all the major smart gadget vendors now use Android as their operating system for their devices. That’s why hackers also like to target this platform more than ever. Recently, a new malware is discovered that packs the power of 3 different malware types – Trojan, keylogger and a ransomware!
The new malware – MysteryBot
This new malware strain is still under development. However, it’s discovered recently by security researchers from ThreatFabric who happened to run across this new threat.
Security researchers said that the new malware seems to be related with the well-known malware strain LokiBot – a well-known Android banking Trojan.
According to the researchers of ThreatFabric, their code analysis of the new malware strain strongly suggests that there’re clear links between these two. It also clearly suggests that MysteryBot is based on LokiBot code.
Recent report on the new malware strain shows that the MysteryBot also communicates with the same C&C server that LokiBot campaign used. This also suggests that both malware is the product of the same hacker(s) or group.
The reason behind the development of this new malware is unknown. However, it’s assumable that because the source code of LokiBot was leaked online, other cyber-criminal groups are already using the code. That’s why a new malware strain will more likely attract the underground market. However, according to the ThreatFabric security researchers, MysteryBot is not publicized in those forums as it’s still under development.
MysteryBot operable on Android 7 and 8
According to ThreatFabric, the new malware – MysteryBot is unique in many ways than other malware strains like LokiBot, Anubis II, CryEye, DiseaseBot etc.
For example, MysteryBot seems to be the first one that can reliably show “overlay screens” on Android 7 and 8. These overlay screens are efficient in stealing passwords on top of the legitimate apps. Because of security features, no malware ever succeeded in using a proper overlay screens on Android 7 (Nougat) and Android 8 (Oreo).
Now, MysteryBot is able to perfectly show the overlay screen on proper timing – when a user is using banking app. Thanks to the misuse of Android feature “Usage Access permission”, it indirectly leaks the information what app the user is currently using.
Other components
MysteryBot also comes up with other modules like the keylogger and a faulty ransomware module. Let’s talk about these two.
The keylogger is an advanced one – not available in the current Android market. Instead of taking screenshots what users are typing, this advanced keylogger directly captures the location of a touch gesture instead. Then, using the touch positions, the malware tries to guess the password string from the virtual keyboard. This module is still not active.
The faulty ransomware isn’t so well-coded. According to ThreatFabric, instead of encrypting files on the system, the module creates password-protected ZIP archives of those files. The password strength isn’t strong enough to protect the archives from brute-force attacks. Moreover, the passwords can easily be overwritten from the control panel when a new victim with the same ID syncs with the MysteryBot backend.
How to stay secured
There are lots of ways this malware can make into your phone. That’s why it’s strongly recommended that you don’t use apps from any unauthenticated sources, even from the Google Store. There are several apps in the wild that downloads several payloads from a server and if the dev wishes, the payloads are easy to swap with such powerful malware that can collect important information for them.