Security researchers have spotted another dangerous threat that is being targeted at mobile users. The MysteryBot Android Trojan is the latest offensive tactic against mobile devices as it is being launched on a global scale. It is rated as a critical threat due to the fact that it has can lead to dangerous system modifications, many of them involving the security and privacy of the device owners.
MysteryBot Android Trojan Revealed: Methods of Infection
The MysteryBot Android Trojan was discovered following a recent investigation of a malicious dropper that was initially used to infect targets with the GandCrab ransomware. Apparently the droppers were part of a botnet network that can be customized to deliver a wide range of computer threats — both desktop viruses, ransomware, Trojans and mobile malware. The research shows that it is being used by criminal groups that are known to leverage all kinds of threats to their intended victims.
The performed analysis shows that the same hacker-controlled servers that power MysteryBot are responsible for the LokiBot banking Trojan. This fact may mean that it is being operated by the same criminal collective.
Botnets usually send out bulk email SPAM messages that use various social engineering tactics that attempt to coerce the victims into interacting with the dangerous elements. They are usually either attached directly to the messages or hyperlinked in the body contents. This particular email SPAM wave may use text and graphics taken from popular software companies or services in order to make them download the infected files. This particular campaign seems to deliver two counterfeit versions of the Adobe Flash Player.
MysteryBot Android Trojan Capabilities
Once the MysteryBot Android Trojan has infected the target devices it can immediately execute one of the built-in commands. The security researchers have been able to harvest a list of all possible actions:
- CallToNumber — Calls a given phone number from the infected device.
- Contacts — Gets contact list information (phone number and name of contacts).
- De_Crypt — No code present, in development (probably decrypts the data / reverse the ransomware).
- ForwardCall — Forwards incoming calls of the device to another number.
- GetAlls — Shortened for GetAllSms, copies all the SMS messages from the device.
- GetMail — No code present, in development (probably stealing emails from the infected device).
- Keylogg — Copy and saves keystrokes performed on the infected device.
- ResetCallForwarding — Stops the forwarding of incoming calls.
- Screenlock — Encrypts all files in the External Storage Directory and deletes all contact information on the device.
- Send_spam — Sends a given SMS message to each contact in the contact list of the device.
- Smsmnd — Replaces the default SMS manager on the device, meant for SMS interception.
- StartApp — No code present, in development (probably allows to remotely start application on the infected device).
- USSD — Calls a USSD number from the infected device.
- dell_sms — Deletes all SMS messages on the device.
- send_sms — Sends a given SMS message to a specific number.
The analysis also shows that the underlying engine is modular in nature allowing the hacker operators to submit custom commands. As the newer versions of the Android operating system (7 and 8) have fixed the hacker tactic of creating overlays over user-installed applications — mobile banking solutions, payment services or web browsers. This has prompted the criminal developers to think of a new solution that is capable of going around the system’s protective measures. The new technique abuses a service permission called PACKAGE USAGE STATS which is accessible through the Accessibility Service permission. As a consequence can enable and abuse any other permission without the user’s consent.
The performed code analysis shows that the captured strains of the MysteryBot Android Trojan does contain a specially devised keylogger. This shows that the hackers have created an entirely new virus component. This makes it very hard to detect as its signature may not be available for all security solutions. This component also uses a non-standard approach in hijacking the user’s information by creating a grid layout of the key positions of the keyboard. The built-in algorithm works both for horizontal and vertical use. At the moment it seems to be still in a testing phase as a report method has not been implemented yet.
MysteryBot Android Trojan Additional Threats
The MysteryBot Android Trojan contains several other modules that are part of its main engine. One of the main ones is the built-in ransomware called Mystery_L0cker. Like its desktop equivalents it allows the criminals to enable a file encryption operation that targets sensitive user data. It follows a preset behavior that consists of the following steps:
- The virus engine scans the local system for files according to the built-in list of target file type extensions.
- Each file is placed in an individual ZIP archive file.
- A password is generated by the engine at runtime using a complex algorithm.
When the encryption process is complete a notiifcation message is created and presented to the victims. They are blackmailed by the operators by showing them a message that they have been watching pornographic materials. According to the message the victims are blackmailed that they can restore their devices by emailing the hackers.
The installed instances of the MysteryBot Android Trojan can contact a hacker-controlled server in order to access instructions on how to overlay certain banking applications. This is done in order to fool the users that they are entering their credentials to the Trojan itself. At partial list of the target apps includes the following instances:
Easybank, VolksbankBanking, Bankwest, INGAustraliaBanking, NABMobileBanking, SuncorpBank, INGDirectFrance,
RaiffeisenSmartMobile, AkbankDirekt, ANZAustralia, AOL-News Mail & Video, AxisMobile-FundTransfer,UPI,Recharge&Payment,
BankAustriaMobileBanking, BankinterMóvil, BBVA Spain, BBVANetcash PT, BendigoBank, BoursoramaBanque, Banque, ChaseMobile,
CIBCMobileBanking®, CIC, CitibankAustralia, FifthThirdMobileBanking, CréditMutuel, CommBank, iMobilebyICICIBank, Gumtree:Search,
Buy&Sell, Facebook, Facebook Messenger–TextandVideoChatforFree, QNBFinansbankCepŞubesi, LaBanquePostale, GarantiMobileBanking,
GetinMobile, LloydsBankMobileBanking, Halifax:thebankingappthatgivesyouextra, HSBCMobileBanking, BankofAmericaMobileBanking, RaiffeisenELBA,
CapitalOne®Mobile, CitiHandlowy, Kutxabank, MACIF-Essentielpourmoi, Microsoft Outlook, Skrill, NETELLER, CréditduNordpourMobile, PayPal,
İşCep, Ruralvía, SBIAnywherePersonal, Skype, HDFCBankMobileBanking, Sparkasse+FinanzenimGriff, SparkasseIhremobileFiliale,
SunTrustMobile, TDCanada, BancaMóvilLaboralKutxa, HalkbankMobil, BancolombiaAppPersonas, UnionBankMobileBanking, USAAMobile,
U.S.Bank, VakıfBankMobilBankacılık, ViberMessenger, WhatsAppMessenger, YahooMail–StayOrganized, YapıKrediMobile, ZiraatMobil,
comdirectmobileApp, CommerzbankBankingApp, Consorsbank, DKB-Banking, VR-Banking, PostbankFinanzassistent, SpardaApp,
Popular, Santander, Bankia, EVOBancomóvil, CaixaBank, BankPekao, PekaoBiznes24, MobileBank, HVBMobileB@nking,
BanquePopulaire, MaBanque, MesComptes-LCLpourmobile, MobileBanking, BarodamPassbook, L'AppliSociétéGénérale,
SantanderMobileBanking, MesComptesBNPParibas, BankSAMobileBanking, BankofMelbourneMobileBanking, St.GeorgeMobileBanking,
WestpacMobileBanking, BZWBK24mobile, eurobankmobile, TokeniPKO, mBankPL, IKO , BancaTransilvania, IDBIBankGOMobile,
MysteryBot Android Trojan Infections Incoming
Even though the virus is a considerable one due to it’s many features and advanced infiltration methods. However some of the included components are still being developed and the security experts state that its very possible that future versions of it will have an even larger impact.
One of the most prominent examples is the addition of newer functionality to the network connection module. Advanced versions of mobile Trojans can also add the ability to spy on the victims in real time, as well as harvest data that can personally identify the users. This is made possible by searching for strings that can expose their name, address, location, interests, phone number, passwords and account credentials.
Another possible development of the MysteryBot Android Trojan is the inclusion of a surveillance component. It would allow the hacker operators to spy on the device owners at any given time and also take over control of them.
As the infections continue to be pushed to targets worldwide we may see the patched versions. All Android users are advised to exercise extreme caution.