Threat Fabric (formerly known as SfyLabs) reports of a newly discovered banking Trojan targeting Android 7 and 8 versions. It seems to be linked to Lokibot, the hydra of the Android malware zoo, because it uses the same command and control (C&C) server.
The recently discovered banking Trojan, dubbed Mysterybot, seems to be an update of Lokibot, or belonging to the same family of Trojan malware.
Lokibot is known as the hydra of the Android malware zoo, because it has Android Trojan and ransomware capabilities. Killing one does not kill the other.
Mysterybot features improved commands compared to Lokibot, a new name, and modified network communication.
“Although certain Android banking malware families such as but not limited to ExoBot 2.5, Anubis II, DiseaseBot have been exploring new techniques to perform overlay attacks on Android 7 and 8, it seems that the actor(s) behind Mysterybot have successfully implemented a workaround solution and have spent some time on innovation,”
Here is a list of the ‘innovative’ features the researchers discovered:
Mysterybot seems to be the next step in the evolution of Android banking malware, inheriting from the hydra Lokibot, and at the same time improving it by being a banking Trojan, ransomware, and keylogger in one malware agent.
About the author
Software test engineer, Founder TestingSaaS, a social network about researching cloud applications with a focus on forensics, software testing and security.
(Security Affairs – Mysterybot Android malware, Lokibot)