Recently cybersecurity researchers have found a new Android banking trojan that resembles whit the infamous Lokibot. The difference is that the newly discovered Trojan has new tricky features, most notably its ability to implement an overlay attack on Android 7 and 8.
After running a malware analysis on the new MysteryBot Trojan, researchers found that it was running on the same C&C server as the LokiBot Android banker discovered in 2017. This made them conclude that it’s either an update to the LokiBot or something new developed by the same actor.
Good news is that the new trojan is still under development and is not widely spread, for the moment.
This new piece of malware has generic Android banking trojan functionalities; once an infection occurs, the hacker can use MysteryBot modules to make phone calls, access contact list info, copy keystrokes and encrypt files on external storage devices.
Researchers warn that in the future it can do a lot more damage than now. This bot seems to be above the average, the overlay, key-logging and ransomware functionalities are novel, by looking at the bot commands, researchers first thought that LokiBot had been improved. But they quickly realized that is not true because the name of the bot and the name of the panel changed to ‘MysteryBot’, and even the network communication changed.
This new trojan is spread via phishing while side-loading the payload. Until now the trojan has not been very active (200 infections), but it will properly spread once it is fully functional.
Companies and individual people must take certain precautions against this growing phenomenon of cyber attacks; they should implement at least a cybersecurity solution, like an antivirus, to protect their systems. Necessary things like regularly updating operating systems and other firmware, using an antivirus for Windows, an antivirus for Mac, or an antivirus for Android, depending on which OS your device is using. Companies must also hire professional cybersecurity firms to do regular checkups to their internal network a couple of times per year. These checkups must always include a penetration test and various ethical hacking test.
One unique characteristic of the MysteryBot lies in its approach to overlay attacks, which are used by hackers to draw on top of other apps running on the infected devices; for example, it could overlay phishing pages on top of legitimate apps.
Interesting is that MysteryBot has found a way to bypass Android 7 and 8 built-in security protections like Security-Enhanced Linux (SELinux).
The bypass is done by abusing a glitch in the Android PACKAGE_USAGE_STATS service permission (a.k.a. the “Usage Access” permission), which is an Android software feature that shows stats revolving around usage of apps. Once installed MysteryBot use AccessibilityService to abuse any required permission without the victim’s consent. The bot has abused this feature to target overlay attacks against over 100 apps, including WhatsApp and Facebook.
Cybersecurity researchers also found that this new trojan has keylogging functionalities, but they are still under development, as there is no method yet to send the logs to the C2 server.
Terrifying is the fact that the enhanced overlay attack capability can be used to run on the latest Android versions; this, combined with the advanced keylogging features, will enable MysteryBot to gather a huge amount private information in order to perform fraud.
MysteryBot also packs a ransomware module, which can encrypt all files individually in the external storage directory, including every subdirectory and after it does that, the original files are deleted.
It can also delete the contacts from the infected device which is something new that was not observed in banking malware until now.
Keep in mind that every device represents a network entry point or a valuable data bank that must be protected by at least cybersecurity solution like an antivirus. Depending on which OS your machine is running, install an antivirus for Windows, an antivirus for Mac, or an antivirus for Android for total protection. Companies must take an extra step and hire a professional cybersecurity firm that will run various cybersecurity tests on your company’s network to implement only the best possible cybersecurity solution. Always opt for a package that includes at least a penetration test and ethical hacking test. For companies that exist 100% online, we recommend the using of cyber-secured web hosting services.