Malware upgrade for Android!

Overall, there are two primary smartphone forms-the iPhone and Android. Of the two, the Android phones have been targeted at a much greater rate. Yet another example of this target shift has recently been noted. This new Android phone malware is termed MysteryBot.

Targeted

In this case, the targets were the Android 7.X and Android 8.X (Nougat and Oreo). This malware tricks the user into installing the malware, pretending to be Adobe Flash Player. The method for the payload being uploaded into the device has yet to be published.

Function

MysteryBot is still in process of being developed. This has been detected in the wild, but not widely experienced. This malware sample is related to a previously noted and successful malware, LokiBot.

MysteryBot works as a banking trojan, keylogger, and mobile ransomware, all in one malware package. These, unfortunately far from the target, are not all the functionalities experienced.

MysteryBot was coded to send data back to the same command & control (C&C) server as the LokiBot malware. This, among other attributes, indicate these are from the same malware creators.

For this malware, the nuance for the banking trojan was creative. On the targeted and compromised devices, the unknowing user sees their “screen”, which is an overlay placed there by the malware application. The malware monitors the activity, waiting for the user to try and log into their bank. The screen is for the user’s bank login screen. With earlier versions, the malware did not work exceptionally well. MysteryBot improved on this, evidencing learning from prior code errors. With this malware version, the overlay screens are presented at the appropriate time. This is done by manipulating the Android PACKAGE_USAGE_STATS permission. This is available through the Accessibility Service/Usage Access. The factor that makes this work so well is the user provides the permissions.

The nuance goes beyond this. The keylogger’s unique-ness records the location of where the user touched the screen. The malware attempted to guess what the user is typing based on this location using the FLAG_SECURE setting. Although new, this is still under development.

This also has a ransomware component. This was coded to lock the user’s files or external storage devices. This does not encrypt the files but locks them. The files, directories, and subdirectories are locked in a password-protected ZIP archive. This malware module was not coded well. The ZIP archive password was only eight characters long. The password and infected device ID are then forwarded to a remote control panel (Myster_Locker). The ID number is between 0 and 9999. With this, there is no verification of pre-existing IDs. Once the files are locked, MysteryBot provides a message to the user, stating the device is blocked due to the device accessing pornographic videos.

To unlock the device, the user is directed to an email address in Russia. To make matters worse, the malware was able to access the user’s phonebook details, copy text messages, manage call forwarding, and delete contact details from the device. To make this even worse, the malware may make or stop phone calls, copy, delete, and send SMS messages, access and steal emails, and allow unauthorized remote access.

Removal

All is not lost. To remove this, the user needs to open the device in safe mode, install Reimage or Anti-malware, and scan their full system.

Looking Forward

As noted, the malware enters the user’s system after what they believe is an Adobe Flash Player. In moving forward and learning from other’s mistakes, users should install their applications only from trusted developers, don’t install applications requiring admin rights or other rights which are not necessary, if possible read the T&C, and read other user’s reviews.

Resources

Cimpanu, C. (2018, June 14). New mystery bot android malware packs a banking trojan, keylogger, and ransomware. Retrieved from https://www.bleepingcomputer.com/news/security/new-mysterybot-android-malware-packs-a-banking-trojan-keylogger-and-ransomware/

Chakraborty, S. (2018, June 18). MysteryBot android malware combines banking trojan, ransomware, and keylogger. Retrieved from https://gadgets.ndtv.com/apps/news/mysterybot-android-malware-banking-trojan-ransomware-keylogger-1869351

Hall, G.E. (2018, June 19). MysteryBot virus: How to remove? Retrieved from https://www.2-spyware.com/remove-mysterybot-virus.html

Hashim, a. (2018, June 17). Android mysterybot banking malware is worse than lokibot. Retrieved from https://latesthackingnews.com/2018/06/17/android-mysterybot-banking-malware-is-worse-than-lokibot/

Lilly, P. (2018, June 15). MysteryBot android malware fuses keylogger, ransomware, and banking trojan into toxic hellstew. Retrieved from https://hothardware.com/news/mysterybot-android-malware-fuses-keylogger-ransomware-banking-trojan

Lorenz, N. (2018, June 15). Mystery bot-The android malware that’s keylogger, ransomware, and trojan. Retrieved from https://blog.avira.como/mysterybot-the-android-malware-thats-keylogger-ransomware-and-trojan/

Palmer, D. (2018, June 15). This new android malware delivers banking trojan, keylogger and ransomware. Retrieved from https://www.zdnet.com/article/this-new-android-malware-delivers-banking-trojan-keylogger-and-ransomware/

Sachdeva, A. (2018, June 18). MysterybBot android malware combines keylogger, ransomware, and banking trojan. Retrieved from https://fossbytes.com/mysterybot-android-malware/

About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.