New Banking Trojan Can Launch Overlay Attacks on Latest Android Versions

Researchers have discovered a new Android banking trojan that holds striking similarities to the infamous Lokibot – but packed with new tricky features, most notably its ability to implement an overlay attack on Android 7 and 8.

Researchers at ThreatFabric, who discovered the trojan, said MysteryBot was running on the same C&C server as the LokiBot Android banker discovered in 2017, suggesting that it’s either an update to the earlier malware or was developed by the same actor. The new trojan is still under development and is not widely spread, they said.

The bot comes with generic Android banking trojan functionalities – once a device is infected, for instance, the bad actor can use MysteryBot modules to make phone calls, scrape contact list info, copy keystrokes and encrypt files on external storage devices.

However, researchers said there’s much more to the story: “This bot has most generic Android banking trojan functionalities, but seems to be willing to surpass the average. The overlay, key-logging and ransomware functionalities are novel,” they said in a post. “Looking at the bot commands, we first thought that LokiBot had been improved. However, we quickly realized that there is more going on: the name of the bot and the name of the panel changed to ‘MysteryBot,’ [and] even the network communication changed.”

A ThreatFabric spokesperson told Threatpost that at the moment the trojan is spread via phishing while side-loading the payload. “The commonly fake Flash Player social-engineering trick is used in the distribution campaign,” said the spokesperson.

ThreatFabric discovered MysteryBot two weeks ago, and while researchers can’t say that it has been very active (less than 200 infections), they told us they believe that it will be properly spread once it is fully functional. 

One unique component to MysteryBot is its approach to overlay attacks, which enables attackers to draw on top of other apps running on the infected devices. This means they could overlay phishing pages on top of legitimate apps.

Android 7 and 8 have security protections like Security-Enhanced Linux (SELinux) built in, rendering previously used overlay techniques inaccessible, said researchers. These protections stop malware from showing off fake pages over apps. That has left malware families like ExoBot 2.5 and DiseaseBot searching for new overlay techniques – but MysteryBot appears to have found a solution.

Specifically, the bot abuses a glitch in the Android PACKAGE_USAGE_STATS service permission (a.k.a. the “Usage Access” permission), which is an Android software feature that shows stats revolving around usage of apps. Usually the victim has to provide specific permissions for usage – but MysteryBot employs AccessibilityService, which allows it to abuse any required permission without the victim’s consent. Android said that accessibility services are typically used to assist users with disabilities in using Android devices and apps.

Interestingly, it asks victims to grant Accessibility Service permissions after installing the malware.

“It seems that the reason for the victims to grant such permissions [is] the number of benign apps nowadays asking for exhaustive sets of permissions — making it common for users to grant permissions without reviewing the permissions requested,” the researchers said. “At the moment, MysteryBot is not using such an M.O. to get the Usage Access permission, but will ask the victim for it directly.”

The bot has abused this feature to target overlay attacks against over 100 apps, including WhatsApp and Facebook.

Other Features

The bot also appears to have innovated keylogging functionalities, effectively lowering detection rates and limiting the user interaction required to enable the logger.

While most trojans abuse the Android Accessibility Service to log the keystrokes or make screenshots upon key-presses, MysteryBot’s logging mechanism uses the Accessibility Service permission to do so directly after installing the malware.

The method essentially calculates the location for each row and places a “View” over each key. Each “view” is then paired to a specific key in such a way that it can register the keys that have been pressed which are then saved for further use, researchers said.

While this technique requires more user interaction (i.e., asking for Accessibility Service permission) to be successful, it also has potential to log more than the usual keystrokes.

“At the time of writing, the code for the keylogger seems to still be under development, as there is no method yet to send the logs to the C2 server,” researchers said.

Moving forward, the enhanced overlay attack capability can be used to run on the latest Android versions; this, combined with the advanced keylogging features, will enable MysteryBot “to harvest a broad set of personally identifiable information in order to perform fraud,” researchers said.

MysteryBot also packs a ransomware module, which includes a new capability that allows the trojan to encrypt all files individually in the external storage directory, including every sub directory. After that, the original files are deleted.

As part of this, the trojan can delete the contacts in the contact list of the infected device, something that researchers said was not observed in banking malware until now.

“In the last six months we observed that capabilities such as a proxy, keylogging, remote access (RAT), sound-recording and file-uploading have become more and more common; we suspect this trend to only grow in the future,” researchers said.  “If our expectation of increases in such behavior turns out to be true, it means that it will become difficult for financial institutions to assess whether or not they are targeted by the specific threats…all infected devices can be source of fraud and espionage.”