New Android malware: MysteryBot banking Trojan the latest headache for researchers

Banking Trojans have proven to be a consistent form of attack for hackers looking to make a quick buck. There are always victims who fall for various social engineering tactics, as well as coders willing to improve an already effective class of malware. It is these two major factors that have caused an explosion of new banking Trojans to appear on the threat landscape over the past couple of years. The latest to be making waves with InfoSec researchers is at first glance a better version of LokiBot, but this is an understatement. Researchers at ThreatFabric (formerly known as SfyLabs) have published a blog post on this particular banking Trojan. Given the name “MysteryBot” in the report, researchers note that “MysteryBot and LokiBot Android banker are both running on the same C&C server,” but the MysteryBot banking Trojan is far more dangerous than LokiBot 2.0. While it is very likely that the author behind LokiBot is behind the MysteryBot banking Trojan, the latter is far more powerful in terms of what it can accomplish.

While it has many core features of other banking Trojans (such as keylogging), what sets MysteryBot apart from its competition is how it handles overlay attacks in versions 7 (Nougat) and 8 (Oreo) of the Android OS. In these particular updates, namely the addition of Security-Enhanced Linux (SELinux), the Android OS has made it almost impossible to properly time overlay attacks. These attacks have been the bread-and-butter of previous incarnations of banking Trojans, and as such, Android versions 7 and 8 have created numerous issues in deploying previously effective hacking methods. While other banking Trojan authors have been banging their heads against the wall, MysteryBot is the first post-Android 7 and 8 updates to perform overlay attacks effectively.

ThreatFabric explains the strategy as follows:

The success of the overlay attacks relies on timing, luring the victim on a fake page asking of credentials or credit card information at the moment the related app is opened by the victim... A new technique... abuses the Android PACKAGE_USAGE_STATS permission... The code of MysteryBot, has been consolidated with the so-called PACKAGE_USAGE_STATS technique. Because abusing this Android permissions requires the victim to provide the permissions for usage, MysteryBot employs the popular AccessibilityService, allowing the Trojan to enable and abuse any required permission without the consent of the victim.

As of the publishing of the ThreatFabric report, there have not been many cases of MysteryBot infections. This is likely to change, however, as is always the case with any new kind of malware variant. Researchers are in many ways lucky to have gotten out in front of this before infections really kick into hyper-drive. Especially with the MysteryBot banking Trojan also containing an experimental ransomware component (rare for banking Trojans) that can “encrypt individually all files in the external storage directory, including every subdirectory,” it is imperative that financial institutions take note of this newest malware.

The risks are far too great to ignore.

Featured image: Shutterstock

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Microsoft Teams guest access: How to enable and manage it

Two of the main factors that affect the total cost of an organization’s Microsoft 365…

14 hours ago

Samsung Galaxy Unpacked 2020: Everything you need to know

Samsung rolled out the all-new Galaxy Z Fold 2, Note 20, Note 20 Ultra handsets…

17 hours ago

SAN vs. NAS: Detailed comparison of these two storage technologies

SAN and NAS provide dedicated storage for a group of users using completely different approaches…

20 hours ago

Generation 1 virtual machines: Modernize them and bring them up to date

In many companies, Generation 1 virtual machines have been superseded by Gen 2 VMs. But…

2 days ago

Free VPNs from Hong Kong with ‘no-log policy’ experience data leak

With these free VPNs based in Hong Kong, you may not be paying any money…

2 days ago

Azure DevOps tips and tricks: Using built-in features

These Azure DevOps tips and tricks come fresh from the field where they have been…

2 days ago