June 20, 2018 at
Android devices’ banking apps were hit by another malware attack, and the threat that is responsible was identified as MysteryBot. According to researchers, this malware consists of ransomware, keylogger, as well as a banking trojan. This alone makes it far more dangerous and harmful than any other malware that was discovered recently.
New malware appears
A new malware dubbed MysteryBot appeared, and it poses a large threat to banking apps on Android devices. It consists of several other malicious threats, including ransomware, a banking trojan, as well as a keylogger. Researchers claim that it is quite similar to LokiBot, which appeared in 2017. Back then, any attempts to remove this malware resulted in its shift in behavior, when the malware started working as ransomware.
MysteryBot, however, might easily be an even bigger threat due to its large malicious arsenal. ThreatFabric’s researchers have been the first to issue a warning against this malware, which is attacking apps on Android 7 and 8. Additionally, both LokiBot, as well as MysteryBot, were found to be running on the very same C&C server.
The malware is more dangerous than any before
MysteryBot is lethal, and the danger is coming from its ability to take full control once it infects the device. Its arsenal consists of a keylogger, a ransomware, as well as a banking trojan, which work together to completely take over Android’s system. It also uses a new form of an overlay technique, which allows it to exploit PACKAGE USAGE STATS, which is one of the devices’ service permissions. By exploiting it, it can also easily gain access to other permissions, and it doesn’t require users’ consent to do so.
By using the keylogger, it has the privilege to drop all of the previously-known techniques. Instead of relying on those, it uses a keylogger to calculate the rows’ locations, and then it starts viewing each of the devices’ keys. One good thing is that the keylogger is currently still being developed, and it currently cannot send data to C&C server.
Still, this doesn’t mean that the malware is any less of a threat since it can still use ransomware to encrypt all of the phones’ files that are located in the external storage directory. This includes every one of the files’ subdirectories, and after encrypting them, it deletes the original files.
According to the report from the researchers, upon encrypting the files, the malware will display a message that accuses the victim of watching pornography. It will then claim that the user can get the password that would decrypt the files by contacting a certain email address (googleprotect(at)mail.ru).
The good news is that the malware has not managed to spread yet since some of its crucial parts are still being developed. However, the Android users are recommended not to install any app that comes from outside of the Google Play Store. According to the researchers, this is the safest way to avoid catching the malware on their devices, for now. Additionally, the researchers added that the majority of banking Trojans come through phishing, side-loading, and smishing, so it is advised that the users remain very careful of their online actions.