A new malware targeting banking apps has hit devices Android. The malware, called MysteryBot, is a combination of banking trojan, keylogger and ransomware, making it more harmful than any other known malware released recently. The malware is similar to LokiBot, which created havoc last year after it turned into ransomware when an attempt was made to remove it.
MysteryBot targets devices running Android 7 or 8. According to the ThreatFabric, which first published about the malware, MysteryBot and LokiBot "run on the same C&C server".
What makes malware deadly dangerous is its extraordinary abilities to take full control of users' devices. In addition to exhibiting the general functionality of Android banking trojans, MysteryBot also exhibits excellent overlay, keylogging and ransomware.
The malware works with a new overlay technique that exploits the PACKAGE USAGE STATS, which allows it to gain access without the user's consent.
A keylogger has also been found in the malware. According to the researchers, the keylogger does not use any of the known techniques. However, the keylogger is still in the development stage as there is no method for sending data to the C2 server.
The MysteryBot ransomware component encrypts all files individually in the external storage directory, including each subdirectory, and then deletes the original files.
"When the encryption process is complete, the user receives a message accusing them of having watched pornographic material. In order to retrieve the password and be able to decrypt his files, the user is required to send an e-mail to the e-mail address indicated."
However, MysteryBot is still under development and has not been rolled out further. It is recommended that you only install Android apps from the Google Play Store to keep your device safe. ThreatFabric added that "most Android banking Trojans seem to spread via smishing/phishing & side-loading."
