MysteryBot: Android malware which is similar to the infamous LokiBot
Experts have recently detected a new Android malware which is lurking in the cyberspace. Security researchers categorize it as a banking trojan which shares similar but slightly updated features as LokiBot. Thus, it is believed that MysteryBot is either an updated version of the former Android virus or the same has author developed it.
This new cyber threat for Android devices has several differences compared to LokiBot:
- the name;
- improved commands;
- altered network communication.
MysteryBot banking trojan has numerous capabilities which allow this malware to call to a given number, get phonebook information, copy all text messages, save keystrokes, encrypt all files on the external storage device, send SMS to the contact list on the phone, and many others.
The new Android virus disguises as fake Adobe Flash Player app to operate on Android 7 and 8
According to the analysis, MysteryBot is one of its kind that can generate legitimate-looking overlay screens on Android 7 and 8 to lure people into giving their credentials. This makes the malware so special as other hackers haven't managed to create the overlay at the right time allowing the user to realize that their device is infected.
This unique Android virus disguises as a fraudulent Adobe Flash Player application to trick people into giving Usage Access permission which is required for the malware to take over the device. Experts call this infiltration method as PACKAGE_USAGE_STATS technique since people rarely check what permissions are asked.
The code of MysteryBot, has been consolidated with the so-called PACKAGE_USAGE_STATS technique. Because abusing this Android permissions requires the victim to provide the permissions for usage, MysteryBot employs the popular AccessibilityService, allowing the Trojan to enable and abuse any required permission without the consent of the victim.
MysteryBot also contains ransomware-like features
During the investigation, experts also discovered a faulty ransomware module on MysteryBot. In simple terms, the malware is capable of locking files on external storage devices. However, the virus does not encrypt any of the data rather than lock them with a unique password on the individual ZIP archive.
Although, IT specialists detected several failures when analyzing ransomware-like features of MysteryBot:
- The password is merely eight characters long so that it can be easily obtained via brute-force attack;
- There is a possibility that unique ID given to the victim can be overwritten by the new victim with the same ID. So, older victims would be unable to recover their data.