comscore
News

MysteryBot Android malware discovered; combines banking trojan, ransomware and keylogger

The malware targets Android 7.0 Nougat and Android 8.0 Oreo-based smartphones.

  • Published: June 19, 2018 4:30 PM IST
mobile-virus-stock-image

Android smartphone users are being warned about a new ‘Frankenstein’ virus that is being used by cybercriminals to read your messages and steal your banking information. Called MysteryBot, it combines features of different malware apps such as a ransomware, a banking trojan and a keylogger to create a malware that can attack on many fronts.

The malware has been discovered by security researchers from ThreatFabric, and it is said to be similar to the infamous LokiBot Android banking trojan. “We believe there is indeed a link between the creator(s) of LokiBot and MysteryBot. This is justified by the fact that MysteryBot is clearly based on the LokiBot bot code,” a ThreatFabric spokesperson told Bleeping Computer.

The MysteryBot can be considered as an updated version of the LokiBot as both of them share the same Command and Control (C&C) server. It is highly likely that both malware apps could have been made by the same attacker. MysteryBot includes generic Android banking trojan functionalities such as saving contacts and messages on a device. It can also act as a keylogger, to save all the keystrokes, meaning the malware record everything you type on your smartphone, including the passwords and pin codes.

Watch: How to install Android P Beta on select smartphones

MysteryBot can also steal emails and remotely start apps. However, these features aren’t enabled yet, meaning that it is still in development. Reports suggest that the malware targets Android Nougat and Oreo versions. Researchers also pointed out that the malware uses screen overlays that are designed to look like a genuine bank site, but it is run by attackers.

“This view has a width and height of zero pixels and due to the “FLAG_SECURE” setting used, the views are not visible in screenshots. Each view is then paired to a specific key in such a way that it can register the keys that have been pressed which are then saved for further use. However, the code for this the keylogger seems to still be under development as there is no method yet to send the logs to the C2 server,” the researchers said.

Cybercriminals have also added a new technique to abuse the service permission called ‘Package Usage Stats’ which can be easily accessible through Accessibility Service permission. This allows the malware to enable other permissions on a smartphone without user consent.

As of now, the MysteryBot malware doesn’t seem to be widespread as it is still under development. However, we would advise our readers to ensure that they always install apps from trusted sources such as Google Play Store. At the same time, also ensure the permissions that you give to the apps. This will help in keeping your data safe.

  • Published Date: June 19, 2018 4:30 PM IST