New Android malware similar to Lokibot has been identified to also affect banking sector. Last year, Lokibot horrified everyone. The banking Trojan that could transform itself into ransomware and also updated itself every week to strengthen its stronghold on affected systems. Now, it seems like LokiBot has got a sibling as another banking Trojan, MysteryBot, steps in targeting the Android devices.
MysteryBot – Android’s New Malware
Security researchers have discovered another Android Trojan that poses a threat to banking apps. Termed as ‘MysteryBot’ by ThreatFabric, it targets Android 7 and 8 devices worldwide.
As revealed by researchers, MysteryBot appears somewhat similar to LokiBot. But, it has some differences too, such as the way in which it utilises network communication. However, a deeper analysis showed its link to the same C&C server as that of LokiBot. So, either the same actor has created it, or it is an improved version of LokiBot.
The malware exhibits exceptional capabilities, taking complete control of the affected device. It can make calls from the phone, access phonebook details, copy text messages, manage call forwarding and can work as a keylogger. Moreover, it can also encrypt all files in the external storage and can delete contact details from the device.
Regarding its point of entry, the malware will enter your device by disguising itself as Adobe Flash Player. It will be using a new technique due to the advancements made in Android 7 and 8.
“With the introduction of the version 7 and 8 of Android, the previously used overlay techniques were rendered inaccessible, forcing the financially motivated threat actors to find a new way to use overlays in their banking malware.”
The researchers further explained,
“A new technique has been conceived and is currently being used, it abuses the Android PACKAGE_USAGE_STATS permission (commonly named Usage Access permission).
The code of MysteryBot has been consolidated with the so-called PACKAGE_USAGE_STATS technique. Because abusing this Android permissions requires the victim to provide the permissions for usage, MysteryBot employs the popular AccessibilityService, allowing the Trojan to enable and abuse any required permission without the consent of the victim.”
MysteryBot Will Target Several Banking Apps
Although the malware can do pretty much whatever it likes after infecting the device, its primary goal is supposedly to target banking apps. The researchers have given a long list of such applications that might be the specific target of this malware.
MysteryBot can perform mobile banking activities without the victim’s knowledge or consent. As everything will be performed in a seemingly legit way through the victim’s device, the financial institutions will face difficulties in detecting malicious actions.