Security researchers have discovered a new type of malware that combines a banking trojan, keylogger, and mobile ransomware in one package.
According to researchers at Threat Fabric, the malware, known as MysteryBot, runs on the same C&C server as the LokiBot Android banking trojan.
“This quickly brought us to an early conclusion that this newly discovered Malware is either an update to Lokibot, or another banking trojan developed by the same actor," said researchers in a blog post.
They said that MysteryBot has generic Android banking trojan functionalities, but its overlay, key logging and ransomware functionalities are novel.
Researchers said that following the launch of version 7 and 8 of Android, the previously used overlay techniques were rendered inaccessible, forcing the financially motivated threat actors to find a new way to use overlays in their banking malware. This has meant that criminals have had to find new techniques to time the overlay attack correctly on Android 7 and 8.
They said that a new technique abuses a service permission called PACKAGE USAGE STATS which is accessible through the Accessibility Service permission. This allows the trojan to enable and abuse any other permission without the user's consent.
The malware also contains a keylogger, but researchers said that none of the known keylogging techniques were used. Instead it calculates the location for each row and places a view over each key.
“This view has a width and height of zero pixels and due to the "FLAG_SECURE" setting used, the views are not visible in screenshots. Each view is then paired to a specific key in such a way that it can register the keys that have been pressed which are then saved for further use,” said researchers.
They added that the keylogger seems to still be under development as there is no method yet to send the logs to the C2 server.
The malware also has built-in ransomware to individually encrypt all files in the external storage directory, including every sub directory, after which the original files are deleted.
“The encryption process puts each file in an individual ZIP archive that is password protected, the password is the same for all ZIP archives and is generated during runtime. When the encryption process is completed, the user is greeted with a dialog accusing the victim of having watched pornographic material,” said researchers.
Mark James, security specialist at ESET, told SC Media UK that this particular strain of Android malware appears to have successfully managed to show “overlay screens” on Android 7 & 8, which could be used to either show fake logon screens over legitimate apps, or trick the user into granting permissions by masquerading screen presses as other functions.
“For most of these functions to happen the app itself needs to be granted access to the Accessibility service, a service mostly used by malware,” he said. “Limiting the installation of side-loading apps from outside the Play Store will limit your attack footprint and will in most cases lower your chances of being infected. Making sure your device has a good multi-layered security product installed, is up-to-date, fully patched and always ensuring you read reviews of apps before you install them, can help to keep you safe.”
Kevin Breen a director at Immersive Labs, told SC Media UK that main goal of the malware is typically financial.
“The ability to intercept passwords provides details that would be used to gain access to bank accounts. Being mobile this also gives the attacker access to any two factor authentication SMS messages,” he said. “Targeting an organisation through a mobile device can sometimes lead to bypassing corporate firewalls and filters if they are configured to connect to corporate networks. Gaining control of the mobile device would also allow the attacker to gain access to any corporate data and user details in messages and call logs.”
