Banking Trojans successfully became the standard form of attack for cybercriminals who want easy money. They created various social engineering tactics to deceive victims into clicking their baits.
Over the past couple of years, the social engineering and malware authors improved the latest banking Trojans to appear on the threat landscape. In the report, researchers noted that “MysteryBot and LokiBot Android banker are both running on the same C&C server,” but the MysteryBot banking Trojan is far more dangerous than LokiBot 2.0. Infosec researchers saw a better version of Lokibot as the one making trouble, but that’s an underestimation. Even if there are speculations that the author of LokiBot is the same malware author behind The MysteryBot banking Trojan, it is still considered far more powerful in terms of what it can do.
MysteryBot has many core features of other banking Trojans (e.g. keylogging). What makes MysteryBot different from its competition is how it manages overlay attacks in versions 7 (Nougat) and 8 (Oreo) of the Android OS. Namely the addition of Security-Enhanced Linux (SELinux), the Android OS has made it almost impossible to properly time overlay attacks in these particular updates.
MysteryBot is the first post-Android 7 and 8 updates to impressively execute overlay attacks. The attacks are the source of the former incarnations of banking Trojans, and as such, Android versions 7 and 8 have created many issues in deploying previously effective hacking methods.
The Explanation Behind the Strategy:
It all falls on the right timing of the overlay attacks. Mysterybot has to lure the victim on a fake page asking of credentials or credit card information at the moment the related app is opened by the victim. The Android PACKAGE_USAGE_STATS permission is also a new method to trick the victim because exploiting these Android permissions requires the victim to give the permissions for usage. It utilizes the popular “Accessibility Service” that allows the Trojan to facilitate and abuse any required permission without the consent of the victim.
There aren’t many cases of MysteryBot infections as of the publishing of the ThreatFabric report. The researchers expect the number to change, but there’s a chance that a new threat will emerge. The researchers are lucky to pioneer the study before infections affect many endpoint users.
MysteryBot banking Trojan also bears an experimental ransomware component which is rare for banking Trojans. It can individually encrypt all files in the external storage directory, comprising of every subdirectory. It is a crucial step for financial institutions to investigate and observe this newest malware.