Mysterybot, a new LokiBot-Linked Android Trojan Emerges
16.6.18 securityaffairs Android
Threat Fabric reports of a newly discovered banking Trojan, dubbed Mysterybot, targeting Android 7 and 8 versions, the malware seems to be linked to Lokibot.
Threat Fabric (formerly known as SfyLabs) reports of a newly discovered banking Trojan targeting Android 7 and 8 versions. It seems to be linked to Lokibot, the hydra of the Android malware zoo, because it uses the same command and control (C&C) server.
The recently discovered banking Trojan, dubbed Mysterybot, seems to be an update of Lokibot, or belonging to the same family of Trojan malware.
Lokibot is known as the hydra of the Android malware zoo, because it has Android Trojan and ransomware capabilities. Killing one does not kill the other.
Mysterybot features improved commands compared to Lokibot, a new name, and modified network communication.
“Although certain Android banking malware families such as but not limited to ExoBot 2.5, Anubis II, DiseaseBot have been exploring new techniques to perform overlay attacks on Android 7 and 8, it seems that the actor(s) behind Mysterybot have successfully implemented a workaround solution and have spent some time on innovation,”
Here is a list of the ‘innovative’ features the researchers discovered:
The supported commands include: call a given phone number, fetch contact list information, forward calls, copy all SMS messages, log keystrokes, encrypt files on external storage and delete all contacts, send an SMS message to all contacts, change default SMS app, call a USSD number, delete all SMS messages and send SMS messages.
Phishing functionality by using a new technique to overlay phishing pages on top of legitimate apps on Android 7 and 8 devices. Restrictions in Security-Enhanced Linux (SELinux) and other security controls in new Android versions were built to prevent malware from displaying fake windows over legitimate apps. The new technique leverages the Android PACKAGE_USAGE_STATS permission (Usage Access permission) to bypass the restrictions, and also abuses the AccessibilityService to get the permission.
The Mysterybot malware use case works like this: the malware, posing as an Adobe Flash Player App, asks the victim to grant it the Usage Access permission, which enables its villainous capabilities. The malware then attempts to monitor package names of the applications in the foreground. It targets over 100 applications with the overlays, including mobile banking and social platform apps.
Next to this Mysterybot uses a new method of logging keystrokes: it calculates the location of the keys on the screen and places a different View over each of them, allowing it to register which keys have been pressed. However, it seems to be under development, because Mysterybot can’t yet send the logged keystrokes to the C&C server.
As Lokibot, Mysterybot also has ransomware capabilities, managed from a separate dashboard than the Trojan. It encrypts each file in the External Storage Directory, and then deletes the original ones. Mysterybot places each file in a ZIP archive (password-protected), but uses the same password for all archives (runtime-generated key). After the encryption is ready, the malware displays a dialogue claiming the victim watched pornographic material and instructing them to contact the attacker via email.
The passwords Mysterybot uses for the ZIP archive are 8 characters long, Latin alphabet characters (upper and lowercase) combined with numbers.
It seems the IDs assigned to the victims can be used for multiple victims, because the IDs assigned to each victim can only be a number between 0 and 9,999.
Mysterybot seems to be the next step in the evolution of Android banking malware, inheriting from the hydra Lokibot, and at the same time improving it by being a banking Trojan, ransomware, and keylogger in one malware agent.
About the author
Software test engineer, Founder TestingSaaS, a social network about researching cloud applications with a focus on forensics, software testing and security.