Banking Trojans have proven to be a consistent form of attack for hackers looking to make a quick buck. There are always victims who fall for various social engineering tactics, as well as coders willing to improve an already effective class of malware. It is these two major factors that have caused an explosion of new banking Trojans to appear on the threat landscape over the past couple of years. The latest to be making waves with InfoSec researchers is at first glance a better version of LokiBot, but this is an understatement. Researchers at ThreatFabric (formerly known as SfyLabs) have published a blog post on this particular banking Trojan. Given the name “MysteryBot” in the report, researchers note that “MysteryBot and LokiBot Android banker are both running on the same C&C server,” but the MysteryBot banking Trojan is far more dangerous than LokiBot 2.0. While it is very likely that the author behind LokiBot is behind the MysteryBot banking Trojan, the latter is far more powerful in terms of what it can accomplish.
While it has many core features of other banking Trojans (such as keylogging), what sets MysteryBot apart from its competition is how it handles overlay attacks in versions 7 (Nougat) and 8 (Oreo) of the Android OS. In these particular updates, namely the addition of Security-Enhanced Linux (SELinux), the Android OS has made it almost impossible to properly time overlay attacks. These attacks have been the bread-and-butter of previous incarnations of banking Trojans, and as such, Android versions 7 and 8 have created numerous issues in deploying previously effective hacking methods. While other banking Trojan authors have been banging their heads against the wall, MysteryBot is the first post-Android 7 and 8 updates to perform overlay attacks effectively.
ThreatFabric explains the strategy as follows:
The success of the overlay attacks relies on timing, luring the victim on a fake page asking of credentials or credit card information at the moment the related app is opened by the victim… A new technique… abuses the Android PACKAGE_USAGE_STATS permission… The code of MysteryBot, has been consolidated with the so-called PACKAGE_USAGE_STATS technique. Because abusing this Android permissions requires the victim to provide the permissions for usage, MysteryBot employs the popular AccessibilityService, allowing the Trojan to enable and abuse any required permission without the consent of the victim.
As of the publishing of the ThreatFabric report, there have not been many cases of MysteryBot infections. This is likely to change, however, as is always the case with any new kind of malware variant. Researchers are in many ways lucky to have gotten out in front of this before infections really kick into hyper-drive. Especially with the MysteryBot banking Trojan also containing an experimental ransomware component (rare for banking Trojans) that can “encrypt individually all files in the external storage directory, including every subdirectory,” it is imperative that financial institutions take note of this newest malware.
The risks are far too great to ignore.
Featured image: Shutterstock