Cybersecurity is a crucial aspect of online progression, but it's often exploited when unpatched malware, ransomware, Trojan and viruses slip through the security firewalls. While PCs were prime targets for hackers, the rise of smartphones among users is rapidly shifting their focus towards mobile phones. That said, a deadly malware is targeting banking apps in Android device users and turns ransomware while trying to remove it.
It's a nightmare for unsuspecting Android users, as the new malware called MysteryBot can intercept incoming calls to another number, view contacts and send SMSes, extract personal information on the owner to perform identity fraud, and more.
Security researchers at Threat Fabric discovered other commands in the malware that could remotely start apps on an infected device and steal emails. But they didn't seem to be active at the time of the investigation, suggesting the malware is still in its development phase.
But MysteryBot came off as a sophisticated malware, with a similar architecture of the LokiBot, a banking Trojan which had created chaos last year by turning into a ransomware while trying to remove it. This is the case with MysteryBot, which also runs on the same C&C server as LokiBot, researchers found.
MysteryBot encrypts all files individually in the external directly and deletes the originals while demanding ransom from users trying to remove the malware from the device.
"When the encryption process is completed, the user is greeted with a dialogue accusing the victim to have watched pornographic material. To retrieve the password and be able to decrypt the files the user is instructed to e-mail the actor on his e-mail address: googleprotect[at]mail.ru," the researchers identified.
While explaining the sophistication of the MysteryBot, Threat Fabric researchers said that the malware uses a new technique to log keystrokes.
"It considers that each key of the keyboard has a set location on the screen, on any given phone and regardless if the phone is in held horizontally or vertically, it also takes into consideration that each key has the same size and therefore is the same number of pixels away from the previous key. To summarize, it looks like this technique calculates the location for each row and places a View over each key," the researchers explained.
The security firm reviewed the extent of MysteryBot's capabilities, which was reported to be further developing, and found a long list of apps as potential targets. They include Bankwest, iMobile by ICICI Bank, Facebook, Messenger, HSBC mobile banking, PayPal, SBI Anywhere Personal, HDFC Bank Mobile Banking, U.S.Bank, WhatsApp and many more.
As mentioned earlier, MysteryBot is still in a developing phase, which doesn't call for panic. The potentially dangerous malware infects devices on Android Nougat and Android Oreo, which account for a total of around 36 percent of all Android smartphones.
Luckily, there's a way users can stay clear of the malware simply by not installing apps from sources other than Google Play Store. As Threat Fabric noted, most banking Trojans are distributed via phishing and side-loading apps.
But as a word of caution, do not trust all apps on Google Play Store. History has proven that some malware has sneaked into Play Store, so before you download any apps, make sure you check for the permissions. Anything permission that seems out of ordinary depending on the nature of the app should be reason enough to avoid downloading it.