MysteryBot Android Trojan can encrypt your files on the Android device.
Another damaging threat is detected by the Security experts that is targeting Android mobile users. The threats is named as “MysteryBot” and it is an Android Trojan that is using various illegal ways to attack Android devices globally on a large scale.
The threat is rated as a highly dangerous as it is able modify crucial device settings that can seriously affect user’s security and privacy.
MysteryBot Android Trojan Detection and Distribution
MysteryBot Android Trojan was detected recently when the investigators discovered a malicious dropper carrying the payloads of the GandCrab Ransomware threat. The droppers were found to be a part of the botnet network which were used to distribute various threats for other computers and mobiles. This included computer viruses, Trojans, Ransomware and Android malware.
The followed research also revealed that the botnet was being used by a group of cyber criminals that are also known to distribute various kinds of threat and victimize users. The same group is responsible for distributing and controlling MysteryBot Android Trojan.
Generally, Botnets delivers spam emails in bulks and uses various other social engineering ways to convince users to do the required actions. The email may directly contain the payloads of the threat or might be hidden within any link which when clicked by the users may download the infections on the device. The email may confuse users by showing images and texts from some renowned companies or software brands. So that users quickly agree to interact with the email which generally ask to download the attachment or any software program like any fake version of Adobe Flash Player.
Also Read about the “Android.Marcher.C” and “Android.Asacub.T“ two latest Android malware has been detected that is stealing financial data.
MysteryBot Android Trojan Actions
After getting inside the targeted device, the MysteryBot Android Trojan momentarily starts executing built-in commands. Here is the list of commands and the actions which can be executed by the threat:
- CallToNumber — Calls a given phone number from the infected device.
- Contacts — Gets contact list information (phone number and name of contacts).
- De_Crypt — No code present, in development (probably decrypts the data / reverse the ransomware).
- ForwardCall — Forwards incoming calls of the device to another number.
- GetAlls — Shortened for GetAllSms, copies all the SMS messages from the device.
- GetMail — No code present, in development (probably stealing emails from the infected device).
- Keylogg — Copy and saves keystrokes performed on the infected device.
- ResetCallForwarding — Stops the forwarding of incoming calls.
- Screenlock — Encrypts all files in the External Storage Directory and deletes all contact information on the device.
- Send_spam — Sends a given SMS message to each contact in the contact list of the device.
- Smsmnd — Replaces the default SMS manager on the device, meant for SMS interception.
- StartApp — No code present, in development (probably allows to remotely start application on the infected device).
- USSD — Calls a USSD number from the infected device.
- dell_sms — Deletes all SMS messages on the device.
- send_sms — Sends a given SMS message to a specific number.
According to the report, the underlying engine of the threat is modular in nature which allows the controllers to execute custom commands. However, the updated versions of the Android OS 7 and 8 have ruined the tactics of hacker to create the overlay of the user-installed applications. Most of which are the applications like mobile banking solutions, payment services or web browsers.
This alarmed the hacker involved in MysteryBot Android Trojan to find a new way to compromise the device’s protective measures. And they came up with the new technique called “PACKAGE USAGE STATS” through which can be abuses the service permission. Through this, the hackers can enable and abuse any other permission without the user’s consent.
The further investigation on the code revealed that the MysteryBot Android Trojan contains a specially designed keylogger. This new component of the threat captures the user’s information through a grid-layout that contains the key positions just like a keyboard. The component is still in testing phase but can be implemented in future to capture all the sensitive information entered by the user.
MysteryBot Android Trojan Additional Threats
MysteryBot Android Trojan Has a Built-in Ransomware “Mystery_L0cker”
Apart from its main engine, the MysteryBot Android Trojan also contains various other modules to execute distinct actions on the targeted device. One of its built-in module is a ransomware named as Mystery_L0cker that acts just like a desktop ransomware. This will encrypt your files and make it inaccessible to users. The encryption process is followed by scanning the device directory to search for files of its built-in extensions to encrypt. Each of the encrypted file is zipped in an individual archive file and is locked with a password is generated using complex algorithm by its engine at run-time.
After the encryption process is completed, it notifies the victim by presenting a message . The victims are further threaten by showing fake alerts stating that they have been watching porn contents on their device. So their sensitive files have been locked. In order to get the files back they need to contact the hackers with the provided email address.
The developers of MysteryBot Android Trojan virus is still testing many of its modules that can be implemented in future. The modules can get the real-time data of the attacked devices and steal confidential data. The information that may be collected by the threat are name, Physical address, geo-location, email account, phone contacts, passwords and bank account credentials.
All Android users need to be more cautious as MysteryBot Android Trojan is finding more clever ways to attack your device and steal or encrypt your files.