MysteryBot: Do You Do Your Banking on Your Phone?

First, there was LokiBot, which was discovered last October – a particularly nasty Android ransomware. Usually cyber attackers plan to make money from ransomware by demanding a ransom from their victims with the promise of decrypting their files. Sometimes the ransomware-encrypted files can be decrypted by paying the ransom, and sometimes they can’t. Sometimes cyber attackers are full of lies and just want your money.

LokiBot was a bit different. LokiBot was a banking Trojan which was sold in Dark Web malware markets. Once it gained administrative privileges on an infected device, it displayed fake login screens on top of your favorite legitimate Android apps. Skype, Outlook, and WhatApp Messenger were targeted, in addition to popular banking apps.

Fake notifications were generated which made the user think that they were entitled to receive money, and compelled them to check their bank account through their banking app. LokiBot employed a man-in-the-middle attack that rerouted network traffic while trying to grab your banking credentials. That’s pretty nasty in and of itself.

If you tried to remove LokiBot’s admin privileges, it became ransomware, claimed that your phone was locked for criminal activity, and said that it would report you to law enforcement if you didn’t cooperate. Whoa! But LokiBot’s dark secret is that it never properly encrypted your files in the first place.

“The encryption function in this ransomware utterly fails, because even though the original files are deleted, the encrypted file is decrypted and written back to itself. Thus, victims won’t lose their files, they are only renamed,” said researchers investigating LokiBot.

LokiBot could be removed by booting into Safe Mode, removing LokiBot’s privileges and then uninstalling it. It appears that cyber attackers have made over a million dollars worth of cryptocurrency via LokiBot in October alone.

Even though the rates of (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Kim Crawley. Read the original post at: