Skip to Content
Security & privacy

More nasty Android malware threatens users

Mobile ransomware is constantly evolving and new variants are emerging every day. Since our smartphones have evolved to become the digital portals to our entire lives, cybercriminals are targeting them more than ever.

It’s scary to think that the hacker’s toolkit constantly changes. It’s a cat and mouse game, as malware developers tweak and refine their code while cybersecurity watchdogs try and keep up.

Read on and I’ll tell you about this newly discovered malware variant that has extra tricks up its sleeves!

Note: Facebook has greatly reduced the distribution of our stories in our readers’ newsfeeds. When you share our articles with your friends, however, you greatly help distribute our content. Please take a moment and consider sharing this article with your friends and family. Thank you.

Mystery malware

A new form of Android malware that’s still evidently a work in progress was recently discovered by researchers at cybersecurity firm ThreatFabric.

Nicknamed MysteryBot by the researchers, this experimental malware is like a triple threat of sorts – it can deliver a banking trojan, a keylogger, and mobile ransomware all in one swoop!

It apparently also has ties to an older Android malware called LokiBot banking trojan since they share the same command and control center.

This means it’s possible that it was developed by the same malware developer, building its new capabilities on top of the old LokiBot code.

Nasty capabilities

Although MysteryBot’s real purpose is still unclear at this point, it has the potential to be one of the more versatile and powerful mobile threats out there since it targets Android versions 7 (Nougat) and 8 (Oreo) too.

Fake overlay screens – Out of the gate, it can trick you into giving away your banking credentials and credit card information by putting fake overlay login pages on top of legitimate apps. These fake overlays often look like the real thing so it’s easy to get duped if you’re not careful.

Keylogger – MysteryBot’s keylogger is not active yet but it looks like the attackers are trying to develop extra functions into it.

ThreatFabric notes that instead of taking screenshots of the keyboard when a user touches a key, MysteryBot records the touch position instead. The keylogger will then approximate this screen location with the exact key that was activated.

This is certainly a novel and more efficient approach to mobile keylogging.

Ransomware – And lastly, MysteryBot contains a basic and ransomware component. At this stage of its development, its ransomware functions are still unsophisticated and poorly implemented.

This particular module doesn’t encrypt your files but rather, it compresses them into a single password-protected ZIP archive.

When the ZIP archiving of your files is completed, a message will appear accusing you of watching adult material. It will also provide you with an email address where you can contact the attacker to pay the ransom and retrieve the password.

However, ThreatFabric explains that the ZIP password is only eight characters long and it can be easily cracked with brute force techniques.

Another problem is that the ID assigned to each ransomware victim can only be number 0 and 9999. Since it appears like there’s no system for verifying previously used IDs, there’s a possibility that the passwords can be overwritten, making them impossible to retrieve.

It pretends to be Flash Player

Although the delivery method for MysteryBot was not disclosed by ThreatFabric yet, the malware is reported to be disguising itself as Adobe Flash Player.

This suggests that like other Android malware, MysteryBot may be tricking users into installing it by pretending to be a Flash Player update.

Additionally, its predecessor LokiBot was spread via SMS spam links and phishing emails with links to a malicious Android app so it’s certainly possible that MysteryBot is using the same tactics as well.

Protect yourself against MysteryBot

As always, to protect yourself against MysteryBot and other Android malware, the best practice is to avoid downloading and installing apps from “Unknown Sources.” Only download apps from the official Google Play app store and make sure you check user reviews, too, before installing.

Second, be careful with links and websites you visit. Drive-by malware downloads could happen anytime without you knowing it. Don’t grant any system permissions to prompt coming from unknown sources.

Always be careful with texts, emails and websites that have video links that won’t play unless you “install and update your video plugins” (for example, Flash Player). This is actually how they get an initial foothold on your gadget.

A good backup plan is also essential for protecting yourself against ransomware. We recommend our sponsor, IDrive, for fast and reliable cloud backups. Backup your all your gadgets and save 50% on all your backup needs and get 2TB of storage for less than $35!

Komando Community background

Join the Komando Community!

Get even more digital know-how and entertainment within the Komando Community! Watch or listen to The Kim Komando Show on your schedule, read Kim's eBooks for free, and get answers in the Tech Forum.

Join Now