MysteryBot Android Malware Fuses Keylogger, Ransomware And Banking Trojan Into Toxic Hellstew

Researchers have discovered a new strain of malware for Android devices that combines different styles of attack into a single package.

Android Phone
Called MysteryBot, the new malware hits victims with a banking Trojan, keylogger, and ransomware in one fell swoop. The good news here is that the cybercriminals responsible for MysteryBot are still developing it, and it does not appear to be spreading in the wild at the moment. However, that could change at any time.

Initially, the researchers thought they were looking at a revised version of LokiBot, a banking Trojan that targets Android devices. But upon closer examination, they discovered there was much more taking place.

"During investigation of its network activity we found out that MysteryBot and LokiBot Android banker are both running on the same C&C [command and control] server. This quickly brought us to an early conclusion that this newly discovered Malware is either an update to Lokibot, or another banking Trojan developed by the same actor," ThreatFabric stated in a blog post.

It turned out to be even bigger than either of those scenarios. MysteryBot contains an extensive lists of commands, including ones for stealing emails from infected devices, forwarding incoming calls to another number, viewing contacts and sending them SMS text messages, and more. Not all of the commands appear to be functional just yet, however, as some of the code is still in development. For example, the ability to swipe emails is something that is still be coded.

One particularly interesting bit is the keylogging ability. The culprit behind MysterBot may have found a new method for recording keystrokes.

"Upon analyzing the keylogger functionality, it struck us as odd that none of the known keylogging techniques were used...MysteryBot seems to use a new and innovative technique to log keystrokes. It considers that each key of the keyboard has a set location on the screen, on any given phone and regardless if the phone is in held horizontally or vertically, it also takes into consideration that each key has the same size and therefore is the same number of pixels away from the previous key. To summarize, it looks like this technique calculates the location for each row and places a View over each key," the researchers explain.

The Views have a width and height of 0 pixels and are not visible in screenshots, allowing the keylogger to stay undetected. Each of the Views are then paired to specific keys in a way that they can register when the keys that have been pressed. This also appears to be under development, as it currently does not have a way of transmitted the recorded keystroke logs to C&C server.

It's probably only a matter of time before MysteryBot is released into the wild in polished form. As always, be selective in where you download applications. Malware has also been known to slip into Google's Play Store, however, so also pay attention to how many permissions an app asks for, as that can sometimes be a sign of nefarious behavior.

Top Image Source: Pixabay via TheDigitalWay