A new type of Android malware called MysteryBot has been found which combines a ransomware, a keylogger and a banking trojan on your smartphone. This malware is said to feature capabilities such as getting contacts and messages saved on a device, manipulate banking apps and also register keystrokes.
For one, MysteryBot has commands which can steal your emails and remotely start apps and its main targets are users who are on Android 7.0 and Android 8.0.This new vulnerability, which was found out by ThreatFabric, is quite similar to the malware LokiBot. This is because both MysteryBot and LokiBot are currently running on the same command and control server. This, in turn, means that both the malware could have been made by the same attacker, as per the blog post. However, MysteryBot has some more threats as compared to LokiBot.
More importantly, the malware has a secret code which can overlay a duplicate screen on banking apps, tricking you into putting your credentials into the fake screen. These credentials are then sent to a remote server controlled by the attacker.
As per the blog post, there are several banks which are being targetted such as IDBI, HDFC, HSBC, ICICI, SBI and more.
The malware also has a keylogger, which is a kind of surveillance software having the capability to record every keystroke made on that system. A keylogger can record instant messages, email, and capture any information you type at any time using your keyboard.
But ThreatFabric believes that the keystroke function in the malware is not fully operational.”The code for this the keylogger seems to still be under development as there is no method yet to send the logs to the C2 server,” said the blog post.
There are also Ransomware capabilities in the malware, allowing the MysteryBot to encrypt files on your device’s external storage. “The encryption process puts each file in an individual ZIP archive that is password protected, the password is the same for all ZIP archives and is generated during runtime. When the encryption process is completed, the user is greeted with a dialogue accusing the victim of having watched pornographic material,” said the blog post.
MysteryBot is also capable of manipulating a service permission called as ‘Package Usage Stats’. This allows the trojan to change app permissions without the user’s consent.
Since MysteryBot is still under development, it doesn’t look like the malware is widespread. However, as a safety measure do not install apps from unverified sources.