Cyber Security researchers have found another Android malware banking trojan that holds striking copies to the famous Lokibot - however, pressed with new suspicious highlights, most quite its capacity to execute an overlay attack on Android 7 Nougat and Android Oreo 8.
Specialists at ThreatFabric, who found the trojan, said MysteryBot was running on an invisible C&C server from the LokiBot Android banker found in 2017, recommending that it's either an update to the initial malware or was produced by a same developer or programmer. The new trojan is still a work in progress and isn't generally spread, According to researchers.
The bot follows generic Android banking trojan functionalities – once a device is infected, for example, the offensive performing blackhat hacker can utilize MysteryBot modules to make telephone calls, scrape contact list information, read keystrokes and encrypt documents on external storage such as memory card.
In any case, specialists said there's considerably more to the story: "This Trojan has most non-specific Android banking trojan functionalities. The overlay, key-logging and ransomware functionalities are unique," they said in a post. We first believed that LokiBot had been updated. But, we immediately understood that there is something more. the name of the trojan malware and the name of the board changed to 'MysteryBot,' and even the system communication changed."
A ThreatFabric representative exposed that right now the trojan is spreading through phishing. "The normally affected Flash Player social-engineering trap is used as a part of the distribution action," said ThreatFabric.
ThreatFabric researchers found MysteryBot two weeks earlier and keeping in mind that experts can't say that it has been extremely dynamic (under 200 infections), they disclosed to ThreatPost, they trust that it will be properly spread once it is completely useful.
Android 7 Nougat and Android 8 Oreo have security protection like Security-Enhanced Linux (SELinux) installed in devices, executing previously used overlay plans hard to reach, said, specialists. These securities prevent malware from displaying false pages over applications. That has left malware families like ExoBot 2.5 and bug but looking for new overlay strategies – however, MysteryBot seems to have discovered an answer.
In particular, the Trojan bot damages a glitch in the Android PACKAGE_USAGE_STATS service permissions (A.K.A the "Use Access" permission), which is an Android application feature that shows details exchanging around the use of applications. Normally the victims need to give particular authorizations to use – yet MysteryBot utilizes AccessibilityService, which enables it to use any required permission without the victim's permission.
Surprisingly, it requests that victims allow Accessibility Service permissions after launching the malware.
The Trojan has harmed this part to target overlay attacks against more than 100 android applications, including WhatsApp and Facebook.