Table of Contents
Recently, MysteryBot -a new type of Android malware has been identified which integrates various kind of threats on your Android device such as a keylogger, ransomware and banking trojan. It seems like with the combination of other malware, MysteryBot has become more dangerous and harmful as compared to other malware. It looks quite similar to LokiBot, the malware that inflicted havoc last year by turning to ransomware when attempted to remove. As per sources, both the malware MysteryBot and LokiBot are running on the same C&C server.
It has been assumed that MysteryBot has various capabilities, like it can easily manipulate banking apps on Android device and it saves messages and contacts automatically on a device. In fact, the new malware is also capable of registering keystrokes on Android devices. It has been absorbed that the new malware has a soft corner for the device that is running on Android 7 and later version.
Mysterybot Targets Devices Running on Android 7 And Later Version
Certainly, Mysterybot has been considered as much harmful and rigorous malware as compared to LokiBot and both the malware come with both similarities and dissimilarties that show that it is the advanced and powerful version of LokiBot. However, apart from LokiBot, Mysterybot is distinctive than the Android banking malware like DiseaseBot, Anubis II and ExoBot 2.5.
Let’s check how MysteryBot is different from other malware
Firstly, it looks like MysteryBot is the first Android banking malware that reliably reflects overlay screens on Android 7 and later versions of Android.
Overlay screens help the banking malware to display fake login page on top of the authentic apps. Google engineers and developers added new security features in Android 7 and later version which prevent malware to display the overlay screens on these Android versions in a consistent manner.
The shortcoming with the previous malware was that it was not able to display the overlay screens at the right time as they weren’t able to find out when the user was using the app. Every time malware couldn’t calculate the time correctly and the overlay wasn’t provided at the right time when user viewed the banking app or when he/she was prompted to enter the credentials.
How It Exploits Usage Access Permission?
MysteryBot works on a new and advanced overlay technique that abuses usage access permissions called “PACKAGE USAGE STATS” that takes over the access of the other permission without taking another person’s permission. This permission is gained indirectly to breakout the data about the current banking app.
MysteryBot new in-dev version contains custom-made overlay screen for getting the info of your mobile e-banking. Here are the countries and apps that MysteryBot usually targets, Germany, Australia, France, Austria, Poland, Spain, Romania, Croatia. For instant messaging apps, MysteryBot goes for WhatsApp, Facebook, and Viber.
As per the sources, this new malware has targeted more than a hundred apps and soon the malware is going increase screen overlay arsenal in forthcoming few weeks.
It Contains a Unique Keylogger Component
Keylogger has been discovered in the MysteryBot but as per the experts, there is no sign of keylogger techniques previously known that show it is still in development stage which is yet to be explored. This keylogger is different from the previous keyloggers that have been identified in the Android market.
For now, keylogger is under the development process that shows at this moment, there is no way to send the data to C2 server.
MysteryBot has ransomware component that allows the malware to encrypt files on your device’s external storage by involving each subdirectory.
Since MysteryBot is still under development and yet to spread its root, which is a big relief for now as we still have time to plan the defense mechanism. However, for the safety measure, it is recommended not to use any of the Android apps from untrusted sources.
The Bottom Line
It seems like MysteryBot is a new threat to Android users that can make you compromise on you banking apps and encrypted files.