This new Android malware delivers banking trojan, keylogger and ransomware

Researchers uncover a form of malware that's still in development - but it has the potential to become a nasty threat.
Written by Danny Palmer, Senior Writer

An experimental form of Android malware delivers a banking trojan, a keylogger and ransomware to those unfortunate to fall victim to it.

Uncovered by security researchers at security company ThreatFabric, the malware was first thought to be an updated version of Lokibot, but as it contains various new features researchers are labelling it as a new form of malware -- MysteryBot.

However, MysteryBot and LokiBot share the same command and control server, indicating a strong link between the two forms of malware, with the potential that they've been developed by the same attacker.

The malware is also potentially potent, with the trojan capable of controlling the functionality of the infected devices, including the ability to read messages, gather contact information and more.

There are also commands for stealing emails and remotely starting applications, but these particular tools don't appear to be active yet, suggesting that this malware is still in the development phase.

While many Android malware families concentrate on attacking older versions of the Google operating system, MysteryBot has the capability to actively target Android versions 7 and 8 using overlay screens designed to look like real bank websites, but are in fact run by the attackers, the researchers said.

Fake websites of a wide variety of banks across the world are able to be displayed to the victim, ensuring that the attackers can cast a wide net for stealing entered credentials.

Once active on the device, the malware is listed as a fake version of Adobe Flash Player. However, researchers haven't detailed how the payload is initially delivered onto the device.

See also: What is malware? Everything you need to know about viruses, trojans and malicious software

Researchers say that the way the malware records keylogging in an innovative new way, by determining which key has been pressed by its location on the screen in relation to others. This is something it can do when the keyboard is held both horizontally and vertically, the researchers explain in a blog post.

However, as with other features of the malware, the keylogger still appears to be in development as there's currently no way for the logged keys to be stored on the command server.

On top of the ability to infect victims with a trojan and a keylogger, those behind MysteryBot have also been experimenting with a ransomware tool. The embedded ransomware feature enables the malware to individually encrypt files and store them in a passworded ZIP archive.

When the encryption is complete, a message accuses the victim of having watched adult content and demands that an email address be contacted to gain a password -- and presumably pay for the privilege.

However, the ransomware element of MysteryBot doesn't appear to be sophisticated. Not only because it requires contact via email, but that the password is only eight characters long, which in theory could be guessed by brute-force.

Secondly, victims are assigned an ID between 0 and 9999 and since there's no verification of existing ID, it's possible the attackers could duplicate the IDs and make it impossible for victims to retrieve files.

But despite some of the capabilities of MysteryBot currently being underdeveloped, the malware is still a potential threat.

"The enhanced overlay attacks also running on the latest Android versions combined with advanced keylogging and the potential under-development features will allow MysteryBot to harvest a broad set of personal identifiable information in order to perform fraud," wrote researchers.

MysteryBot isn't currently widespread and is still under development, but users should be wary of any applications they download which ask for an excessive number of permissions.


Editorial standards