MysteryBot - the Android malware that's keylogger, ransomware, and trojan

MysteryBot - the Android malware that's keylogger, ransomware, and trojan

MysteryBot – the Android malware that’s keylogger, ransomware, and trojan

There is a new malware in town – and it’s being targeted at Android users. The app called MysteryBot is still under development and provides everything a criminal inclined person could ever want in one neat little package: It is not only a Banking Trojan but also a keylogger and mobile ransomware.

The MysteryBot Android Trojan was recently discovered by ThreatFabric who thought it to be just another improved version of LokiBot. After investigating further it was quickly noticed however that – while based on LokiBot and most likely also developed by the same cybercriminals – it was completely rebranded and much “improved”.

A closer look at the malware

It comes disguised as a Flash player app

While Flash might disappear in 2020, there are still ample pages that use the player. Which is why a malware posing as an Adobe Flash Player app can easily find its way on the phones of potential victims. Same as most apps, MysteryBot will ask the users to get a couple of permissions. Once granted it can and will proceed with its nefarious purpose.

All those features in one malware

As soon as it’s on the victim’s device, the Trojan can execute one of the following built-in commands that the security researchers were able to compile:

Phishing more sophisticated than ever

While the above list is already pretty impressive, there is still more. The bot also uses a new technique in order to overlay phishing screens which actually work reliably on Android 7 and 8. Due to some restrictions employed by Security Enhanced Linux (SELinux) and other security controls, this has been made exceedingly hard for malware creators in the past. The new and improved phishing screen targets over 100 applications, some of which are mobile banking and social platforms apps.

A new kind of keylogger

Talking about innovation: The bot also uses a new method of logging what is being typed. Instead of taking screenshots at the moment the users press the keys on their touchscreens the MysteryBot calculates the on-screen location of the keys. Thanks to the then created grid it can guess what keys are being tapped. While this component is not working yet according to ThreatFabric, it will most likely be deployed in the near future.

Ransomware Mytery_L0cker

Last but not least MysteryBot also contains a built-in ransomware. Instead of encrypting the files though, it locks them all away in individual password protected .zip archives. Once done it tells the victims that they were watching pornographic content and need to contact the provided email address.

Image Source: ThreatFabric

The ransomware module is where the bot gets a bit shoddy, according to the researchers. The generated password is 8 characters long and consists of all characters of the Latin alphabet (upper and lower case) combined with numbers. This does not leave room for a lot of combinations and could easily be brute-forced.

How to stay safe

“MysteryBot is still under development at the time of writing and not widely spread,” is the statement the researchers finished their blog article with. While this is certainly true there is still other malware up and about and the bot itself will be amongst it at some point in the future, too.

So what can you do to stay safe?

This post is also available in: German

Exit mobile version