MysteryBot Malware Targets Android 7 & 8 Devices with New Tricks

While Android mobile devices are powered by a secure locked down version of the Linux kernel, security experts have now found another Trojan that impacts the widely popular operating system. Called MysteryBot by experts working with ThreatFabric, it seems to attack devices running Android 7 and 8.

In some ways, MysteryBot is much like the earlier LokiBot malware. ThreatFabric’s researchers analyzed the code of both Trojansand found that there is more than likely a link between the creators of both of them. They went so far as to say that MysteryBot is based on LokiBot’s code.

It even sends data to the same C&C server that was once used in a LokiBot campaign, which would insinuate that they were developed and deployed by the same organizations.

If this is indeed the case, then it could be related to the fact that LokiBot’s source code got leaked onto the web a few months ago. This aided security experts who were able to develop some mitigations for it.

MysteryBot has a few traits that really make it stand out from other types of Android banking malware. For instance, it can reliably show overlay screens that mimic the login pages of legitimate apps. Google’s engineers developed security features that prevented malware from showing overlay screens on Android 7 and 8 devices in any consistent manner.

As a result, other banking malware infections showed the overlay screens at odd times since they couldn’t tell when users were looking at apps on their screen. MysteryBot abuses the Usage Access permission that’s normally designed to show statistics about an app. It indirectly leaks details about which app is currently being displayed on the front of the interface.

It’s unclear what influence MysteryBot has on Lollipop and Marshmallow devices, which should make for some interesting research in the coming weeks since these devices don’t necessarily have all of these security updates.

By targeting over 100 popular apps, including many that are outside of the world of mobile e-banking, MysteryBot could be able to glean login details from even compromised users who don’t really use their smartphones that much. It doesn’t appear to be in current circulation, however.

In addition, whenever users press a key on the touch-based keyboard MysteryBot records the location of the touch gesture and then tries to triangulate the position of the virtual key they typed based on guesses.

While this is light years ahead of the previous screenshot-based Android keyloggers, security experts are already hard at work developing a mitigation.

John Rendace
John is a GNU/Linux expert with a hobbyist's background in C/C++, Web development, storage and file system technologies. In his free time, he maintains custom and vintage PC hardware. He's been compiling his own software from source since the DOS days and still prefers using the command line all these years later.