An experimental form of malware for Android offers a bank Trojan, a keystroke logger and a ransomware for those unfortunate enough to be victims of it.
Discovered by security researchers at the security company ThreatFabric, the malware was first thought to be an updated version of Lokibot, but because it contains several new features, researchers label it as a new form of malware: MysteryBot.
However, MysteryBot and LokiBot share the same command and control server, indicating a strong link between the two types of malware, with the possibility that they may have been developed by the same attacker.
Malware is also potentially powerful, with the Trojan able to control the functionality of infected devices, including the ability to read messages, collect contact information, and more.
There are also commands for stealing emails and remote startup applications, but these particular tools do not appear to be active yet, suggesting that this malware is still in the development phase.
While many Android malware families focus on attacking earlier versions of the Google operating system, MysteryBot has the ability to actively target versions 7 and 8 of Android using overlay screens designed to resemble real bank websites, but are in fact managed by the attackers, the researcher said.
Fake websites from a wide variety of banks around the world can be displayed to the victim, ensuring that attackers can launch a wide network to steal the credentials entered.
Once active on the device, the malware appears as a fake version of Adobe Flash Player. However, researchers have not detailed how the payload is initially delivered to the device.
Researchers say the way malware records keylogging in a new and innovative way, determining which key has been pressed by its location on the screen relative to others, something it can do when the keyboard is held both horizontally and vertically, the researchers explained in a blog post.
However, as with other malware features, the keylogger still appears to be in development as there is currently no way for the registered keys to be stored on the command server.
In addition to the ability to infect victims with a Trojan and a keylogger, those behind MysteryBot have also been experimenting with a ransomware tool. The embedded ransomware feature allows malware to encrypt individual files and store them in a passive transfer ZIP file.
When the encryption is complete, a message notifies the victim of viewing adult content and requires them to contact an email address to obtain a password, and presumably pay for the privilege.
However, the MysteryBot ransomware element does not appear to be sophisticated. Not only because it requires email contact, but the password is only eight characters long, which in theory could be guessed by brute force.
Second, victims are assigned an ID between 0 and 9999. Because there is no verification of existing identification, attackers may be able to duplicate the IDs and it may be impossible for victims to recover the files.
But despite some of MysteryBot’s capabilities that are currently underdeveloped, malware remains a potential threat.
“The enhanced overlay attacks that also run on the latest versions of Android combined with advanced keylogging and possible underdevelopment features will allow MysteryBot to harvest a wide range of personally identifiable information for fraud,” the researchers wrote.
MysteryBot is not currently widespread and is still under development, but users should be wary of applications they download that require an excessive amount of permissions.
Related posts:
Leave a Reply