MysteryBot: New triple threat malware comes with banking Trojan, keylogger and ransomware features

A new Android malware called MysteryBot has been uncovered by security researchers which comes with banking malware, keylogger and ransomware features. The malware also comes with a host of data-stealing abilities, including harvesting SMS messages, mails, contacts and more.

MysteryBot can also make calls from the infected device, send spam SMS messages, delete all SMS messages and more.

The malware was discovered by security researchers at ThreatFabric while they were analysing the LokiBot malware. Researchers said the two trojans may be connected since both malware variants were found running on the same C2 server. ThreatFabric researchers believe that MysteryBot is either a new variant of LokiBot or a new banking malware created by the same threat actors who created LokiBot.

MysteryBot uses new overlay technique for Android 7 and 8

The malware’s authors have implemented a new overlay technique that applies to Android 7 and 8. The latest versions of Android have effectively rendered previous overlay attack techniques useless. However, this has only motivated cybercriminals to find new overlay techniques.

According to ThreatFabric researchers, various Android banking malware families such as Anubis II, ExoBot 2.5 and DiseaseBot have been experimenting with new overlay techniques that could be applied on Android 7 and 8.

“The code of MysteryBot, has been consolidated with the so-called PACKAGE_USAGE_STATS technique,” ThreatFabric researchers wrote in a blog. “Because abusing this Android permissions requires the victim to provide the permissions for usage, MysteryBot employs the popular AccessibilityService, allowing the Trojan to enable and abuse any required permission without the consent of the victim.”

MysteryBot’s keylogging and ransomware abilities

MysteryBot doesn’t make use of known keylogging techniques. Instead, it employs a “new and innovative”technique that involves calculating the location of each key on a phone. In other words, the keylogger uses the phone’s touch data to log users’ keystrokes.

“MysteryBot actor(s) did innovate keylogging with this new implementation. Effectively lowering detection rates and limiting the user interaction required to enable the logger. Indeed, the key logging mechanism is based on touch points on the screen instead of using the commonly abused Android Accessibility Service, meaning that it has potential to log more than the usually keystrokes,” ThreatFabric researchers noted.

Meanwhile, the malware also embeds a ransomware feature that encrypts all files in the infected device’s external storage. The encryption involves allocating all files a password-protected ZIP archive.

Over the past six months, the trend of malware variants coming packed with RAT, keylogging, sound recording and file uploading capabilities has become more common than ever before, researchers noted. These functionalities not only allow attackers the ability to bypass security, but also enable advanced data harvesting without specific triggers.

“If our expectation of increase in such behavior turns out to be true, it means that it will become difficult for financial institutions to assess whether or not they are target by the specific threats and that all infected devices can be source of fraud and espionage,” ThreatFabric researchers said.