Recently, a new Android trojan was discovered by ThreatFabric dubbed as ‘MysteryBot’, which is said to be similar to Android banking trojan LokiBot. This malware is capable of stealing user data and also has built-in ransomware dubbed as ‘Mystery_L0cker”.
How Was It Discovered?
This malware was discovered while investigating the infected targets of GandCrab ransomware. And, it seems like that the actors responsible for this attack is the same group that was responsible for LokiBot ransomware also. ThreatFabric also found out that both the infections are running on the same C&C server, which bought them to a conclusion that it can be an update to LokiBot, or can be a new malware developed by the same active group.
Usually, they send you SPAM emails and messages, which ask users to download infected files. The infections are either attached in the message or are hyperlinked within the email content.
On this ThreatFabric said,
“While processing our daily set of suspicious samples, our detection rule for the Android banking trojan LokiBot matched a sample that seemed quite different than LokiBot itself, urging us to take a closer look at it. Looking at the bot commands, we first thought that LokiBot had been improved.
However, we quickly realized that there is more going on: the name of the bot and the name of the panel changed to “MysteryBot”, even the network communication changed.”
Also Read : Everything You Need To Know About VPNFilter Malware
What MysteryBot Android Trojan is capable of?
Once the targeted device is infected, MysteryBot immediately starts to act and execute the built-in commands. The security researchers at ThreatFabric were able to extract list of all possible outcomes that include:
CallToNumber — Make a call to a given phone number from the device that is infected.
Contacts — Extracts contact list and information (phone number and name of contacts).
De_Crypt — This No code present, in development (probably decrypts the data / reverse the ransomware).
ForwardCall — Forwards incoming calls of the device to another number.
GetAlls — Shortened for GetAllSms, copies all the SMS messages from the device.
GetMail — No code present, in development (probably stealing emails from the infected device).
Keylogg — Copy and saves keystrokes performed on the infected device.
ResetCallForwarding — Stops the forwarding of incoming calls.
Screenlock — Encrypts all files in the External Storage Directory and deletes all contact information on the device.
Send_spam — Sends a given SMS message to each contact in the contact list of the device.
Smsmnd — Replaces the default SMS manager on the device, meant for SMS interception.
StartApp — No code present, in development (probably allows to remotely start application on the infected device)
USSD — Calls a USSD number from the infected device.
dell_sms — Deletes all SMS messages on the device.
send_sms — Sends a given SMS message to a specific number.
This is not it. It has additional modules of infections as well like built-in ransomware called “Mystery_L0cker”. Let us know more about it.
Must Read : Malware That Threatens To Leak Your Photos To Friends – LeakerLocker
MysteryBot’s Built-in Ransomware Mystery_L0cker & How It Works?
Like every other ransomware, Mystery_L0cker also targets and encrypts user data. For which, first it scans the local files and system and detects the file type extensions that are easier to access. Then those files are placed in an ZIP file. After this, by using complex algorithms and encryption method, virus engine generates a password at runtime.
When this process is complete, a notification on Android device is generated, showing them blackmailing content. And when clicked, it could also redirect users to pornographic content as well. According to hackers, users can restore their data if they mail them.
Conclusion
MysteryBot Android Trojan creators are still working on it and it is not fully active on all Android devices for now. It is recommended to all Android users to take necessary precautions. Also, do not install file or APK mentioned below:
Adobe Flash Player (install.apps) 334f1efd0b347d54a418d1724d51f8451b7d0bebbd05f648383d05c00726a7ae
If you found this helpful, please let us know. You can also drop your feedback in the comment section below.