MysteryBot: Do You Do Your Banking on Your Phone?

First, there was LokiBot, which was discovered last October - a particularly nasty Android ransomware. Usually cyber attackers plan to make money from ransomware by demanding a ransom from their victims with the promise of decrypting their files. Sometimes the ransomware-encrypted files can be decrypted by paying the ransom, and sometimes they can’t. Sometimes cyber attackers are full of lies and just want your money.

LokiBot was a bit different. LokiBot was a banking Trojan which was sold in Dark Web malware markets. Once it gained administrative privileges on an infected device, it displayed fake login screens on top of your favorite legitimate Android apps. Skype, Outlook, and WhatApp Messenger were targeted, in addition to popular banking apps.

Fake notifications were generated which made the user think that they were entitled to receive money, and compelled them to check their bank account through their banking app. LokiBot employed a man-in-the-middle attack that rerouted network traffic while trying to grab your banking credentials. That’s pretty nasty in and of itself.

If you tried to remove LokiBot’s admin privileges, it became ransomware, claimed that your phone was locked for criminal activity, and said that it would report you to law enforcement if you didn’t cooperate. Whoa! But LokiBot’s dark secret is that it never properly encrypted your files in the first place.

“The encryption function in this ransomware utterly fails, because even though the original files are deleted, the encrypted file is decrypted and written back to itself. Thus, victims won't lose their files, they are only renamed," said researchers investigating LokiBot.

LokiBot could be removed by booting into Safe Mode, removing LokiBot’s privileges and then uninstalling it. It appears that cyber attackers have made over a million dollars worth of cryptocurrency via LokiBot in October alone.

Enter MysteryBot

Even though the rates of LokiBot infection are falling, that’s not the last we’ve seen of that sort of behavior, or even of LokiBot’s command and control (C2) servers.

Just recently, researchers have discovered a new threat called MysteryBot, which uses the same C2 servers as LokiBot, so it was probably developed by the same group of attackers. Brace yourselves, because MysteryBot is even worse!

In addition to targeting banking apps by displaying fake login screens which can grab your credentials, MysteryBot also contains a keylogger, and it can also grab your instant messages and emails. Plus, when MysteryBot becomes ransomware (triggered by a user trying to remove its privileges), it might actually be able to encrypt your files successfully.

Innovative New Android Malware Functionality

MysteryBot’s keylogger is one of the most sophisticated mobile keyloggers ever seen. A lot of sensitive information is typed into Android touchscreen keyboards! From the report:

“Upon analyzing the keylogger functionality, it struck us as odd that none of the known keylogging techniques were used. The two other well-known Android banking Trojans embedding a keylogging module (CryEye and Anubis) do abuse the Android Accessibility Service to log the keystrokes or make screenshots upon keypresses; however, this technique requires the victim to grant Accessibility Service permission after installing the malware (hence requiring more user interaction to be successful).

“MysteryBot seems to use a new and innovative technique to log keystrokes. It considers that each key of the keyboard has a set location on the screen, on any given phone and regardless if the phone is in held horizontally or vertically, it also takes into consideration that each key is the same size, and therefore is the same number of pixels away from the previous key.”

It’s a lot more difficult for cyber attackers to overlay fake login screens on legitimate apps in Android 7 and 8. MysteryBot overcomes the newer Android security features. The researchers wrote:

“The success of the overlay attacks relies on timing, luring the victim onto a fake page asking for credentials or credit card information at the moment the related app is opened by the victim. Mistiming the overlay would make the overlay screen appear at an unexpected moment, resulting in the victim realizing presence of the malware.”

“This has been made difficult with the restrictions employed by Security-Enhanced Linux (SELinux) and other security controls (sandbox restrictions) in Android 7 and 8. Hence, actors have been working hard on finding new ways to time overlays correctly, which resulted in many technical debates in the Android banking Trojan criminal ecosystem.”

The new malicious overlay exploit depends on the user granting the MysteryBot Trojan Usage Access, Device Administrator, and Accessibility Service permissions. How many times do users install Android apps, and when they ask for an assortment of permissions think, “blah, blah, blah, I want this app, hit ‘Ok!’” Just like End User License Agreements, right? Admittedly, I’ve been guilty of this myself.

But Can MysteryBot Ransomware Really Encrypt and Decrypt?

Like LokiBot, MysteryBot becomes ransomware if the user tries to remove its privileges. Yet again, the ransomware screen says that criminal activity was found and the user will be reported to law enforcement if they don’t pay the ransom. Researchers did find some indications that the ransomware’s encryption function might actually work, unlike LokiBot:

“MysteryBot also embeds a ransomware feature allowing itself to encrypt individually all files in the external storage directory, including every sub directory, after which the original files are deleted. The encryption process puts each file in an individual ZIP archive that is password protected, the password is the same for all ZIP archives and is generated during runtime.”

But they also found a few bugs:

“Firstly, the password used during the encryption is only 8 characters long and consists of all characters of the Latin alphabet (upper and lower case) combined with numbers. The total amount of characters to pick from is 62, leaving the total possible combinations a total of 62 to the power of 8, which could be brute-forced with the relevant processing power.”

“Secondly, the ID assigned to each victim can be a number between 0 and 9999. Since there is no verification of existing ID, it is possible that another victim with the same ID exists in the C2 database, overwriting the ID in the C2 database. Resulting in the impossibility for older victims with duplicated ID to recover their files.”

So unlike LokiBot, MysteryBot likely will encrypt the user’s files. But paying the ransom likely won’t decrypt the user’s files. MysteryBot looks like it’s worse than LokiBot in this respect because the user’s files will actually be encrypted either way.

Legitimate Apps Targeted by MysteryBot Overlays

Here are some of the legitimate apps that the researchers have found MysteryBot can put credential grabbing overlays on:

  • PayPal
  • Facebook
  • Skype
  • AOL News, Mail & Video
  • Easybank
  • Bankwest
  • Chase Mobile
  • Citibank Australia
  • Lloyd’s Bank Mobile Banking
  • TD Canada Trust
  • U.S. Bank
  • Santander
  • St. George Mobile Banking
  • BancaTransilvania
  • WhatsApp Messenger
  • Yahoo Mail
  • SunTrust Mobile App
  • Halifax Banking
  • CréditMutuel
  • CommBank
  • CIBC Mobile Banking
  • Volksbank Banking
  • ING Australia Banking
  • ING Direct France
  • Suncorp Bank
  • ANZ Australia
  • BBVA Spain
  • Bank Austria Mobile Banking
  • Getin Mobile Banking

So, it would appear that the cyber attackers behind MysteryBot are trying to target banks around the world, and some of the most popular apps used for communication as well.

Reducing the Risk of MysteryBot Infection

MysteryBot appears to be a work in progress and it’s not widespread yet. Its capabilities can improve. However, the number of apps that it targets may well increase. Its spyware and remote access trojan (RAT) capabilities can improve. Who knows what forms the Trojan will take when it tries to compel its victims to believe that it’s an app they want to install? Weird copycat games? Useful utilities?

I recommend that people configure their Android phones and tablets to only install apps from the Google Play Store. Malware has been distributed through the Store in the past, but Google should be on the lookout for Trojans like MysteryBot so that people are a lot less likely to get infected with it through those means.

Also, take your time when you install a new app or when an old app requests new permissions. Read through all of the requested permissions. Are they justified? Do they make sense? A simple mobile game doesn’t need access to your email, for example. Use common sense when you read about requested permissions. Also, I notice a lot of people don’t have an antivirus app on their phones. That makes my jaw drop... Android malware is now more common than Windows malware.