Security researchers have discovered a new type of malware that combines three-legged threat with a banking trojan, keylogger, and mobile ransomware in one package.
Security researchers have discovered a new type of malware that combines a banking trojan, keylogger, and mobile ransomware in one package.
According to researchers at Threat Fabric, the malware, known as MysteryBot, runs on the same C&C server as the LokiBot Android banking trojan.
“This quickly brought us to an early conclusion that this newly discovered Malware is either an update to Lokibot, or another banking trojan developed by the same actor,” said researchers in a blog post.
They said that MysteryBot has generic Android banking trojan functionalities, but its overlay, key logging and ransomware functionalities are novel.
Researchers said that following the launch of version 7 and 8 of Android, the previously used overlay techniques were rendered inaccessible, forcing the financially motivated threat actors to find a new way to use overlays in their banking malware. This has meant that criminals have had to find new techniques to time the overlay attack correctly on Android 7 and 8.
They said that a new technique abuses a service permission called PACKAGE USAGE STATS which is accessible through the Accessibility Service permission. This allows the trojan to enable and abuse any other permission without the user’s consent.
The malware also contains a keylogger, but researchers said that none of the known keylogging techniques were used. Instead it calculates the location for each row and places a view over each key.
“This view has a width and height of zero pixels and due to the “FLAG_SECURE” setting used, the views are not visible in screenshots. Each view is then paired to a specific key in such a way that it can register the keys that have been pressed which are then saved for further use,” said researchers.
They added that the keylogger seems to still be under development as there is no method yet to send the logs to the C2 server.
The malware also has built-in ransomware to individually encrypt all files in the external storage directory, including every sub directory, after which the original files are deleted.
“The encryption process puts each file in an individual ZIP archive that is password protected, the password is the same for all ZIP archives and is generated during runtime. When the encryption process is completed, the user is greeted with a dialog accusing the victim of having watched pornographic material,” said researchers.
This article originally appeared at scmagazineuk.com