Cybercriminals have a new Android malware program in their toolbox called MysteryBot that can serve multiple purposes: banking Trojan, keylogger and ransomware.
The Trojan was identified by researchers from threat intelligence firm ThreatFabric and seems to be related to the LokiBot Android banking trojan—possibly even created by the same authors.
However, MysteryBot can do much more than Loki. Judging by the implemented commands, hackers can use the Trojan to initiate phone calls from infected devices, forward calls, steal all SMS messages, send SMS messages, delete SMS messages, copy the contact list, spam the contact list and more.
Of note are two commands called Keylogg and Screenlock. The first records and steals all text inputted on infected devices, including passwords. The second encrypts files in the external storage directory and deletes all contact details from the device, which is essentially ransomware behavior.
There’s also a command called De_Crypt that’s not yet fully implemented in the samples seen by ThreatFabric, but likely will be used later to decrypt files if users pay the ransom. Another command that is listed in the code, but not yet implemented, is called StartApp and probably will provide attackers with the ability to launch any applications from the infected devices.
The presence of these incomplete commands suggests that the malware is still in development, but the malware authors have already made several innovations. For one, they are using a reliable technique to bypass the overlay restrictions introduced in Android 7 and 8.
The overlay feature refers to the ability of applications to display screens on top of other active applications. This is used by legitimate applications such as password managers to provide autofill functionality, but also historically has been abused by malware to show fake login forms when users open banking apps.
MysteryBot bypasses the new restrictions introduced in Android 7 and 8 by masquerading as Flash Player and asking users for a permission called Usage Access. This permission allows the malware to detect which applications are opened and when to display its rogue phishing screens at the correct moment. MysteryBot targets an extensive list of mobile banking and social media apps.
It seems that the Trojan’s authors have also innovated in their keylogging implementation. Traditionally, Android malware has taken screenshots of tapped keys or has abused the Accessibility Service for keylogging, which requires a special permission. However, MysteryBot uses a completely new technique that calculates where each key is displayed on the screen, regardless of whether the phone is held vertically or horizontally, and then correlates the user’s screen taps with those positions to determine the pressed keys.
“The enhanced overlay attacks also running on the latest Android versions combined with advanced keylogging and the potential under-development features will allow MysteryBot to harvest a broad set of Personal Identifiable Information in order to perform fraud,” the ThreatFabric researchers warn in a blog post.
Clipboard Malware Hijacks Bitcoin and Ethereum Transactions
Security researchers from Chinese security firm 360 warn users that a new malware program detected on more than 300,000 computers allows attackers to steal Bitcoin and Ethereum cryptocurrency by diverting it to rogue wallets.
The malware, called ClipboardWalletHijacker, monitors the Windows clipboard and detects when Bitcoin or Ethereum wallet addresses are copied into it, which happens when users copy addresses from or into websites, messaging clients or other applications. The malware then replaces those addresses in the clipboard with Bitcoin and Ethereum addresses belonging to the attackers, so that affected users paste those instead when they want to initiate transactions.
Since Bitcoin and Ethereum wallet addresses are made up of random letters and numbers and are pretty long, it’s unlikely that users will notice the switch.
This technique is often used in combination with cryptominers that also use the victims’ computers to mine cryptocurrency, the 360 researchers said in a blog post.