Monday, January 27, 2025
HomeMalwareMysteryBot - Powerful Android Banking Trojan Launch Keylogger, Overlay & Ransomware in...

MysteryBot – Powerful Android Banking Trojan Launch Keylogger, Overlay & Ransomware in Single Attack

Published on

SIEM as a Service

Follow Us on Google News

Newly Discovered Android-based MysteryBot Trojan launches various attack such as overlay, keylogger, and Ransomware in a single attack to perform various malicious activities.

Based on activities and behavior, researchers believe that MysteryBot Trojan is another powerful banking trojan that inherits LokiBot, both Android banker is running on the same C&C server.

Also, MysteryBot Trojan might next version of LokiBot banking Trojan and the both Trojan has been developed by the same Malware author.

MysteryBot is capable of performing various malicious activities,  such as making a phone call, stealing the contact information, forwarding the incoming calls to another device, setting the keylogger and encrypt the device files and deletes all contact information on the device.

Also, an attacker launches various commands and control the infected system to steal the sensitive data. Following are the commands used by attackers.

MysteryBot Trojan Infection Capabilities

MysteryBot infection typically performing 3 major attacks on a compromised victim’s Android device and performing various stealing activities.

Keylogging 

MysteryBot is using sophisticated keylogging functionality that never known before and it, employees, two other banking Trojan’s keylogging Module (CryEye and Anubis) to abuse the Android Accessibility service.

This attack mostly needs more user interaction to be a successful attack, attack trick users to grant the permission for accessibility service to log the keystrokes or make screenshots upon keypresses.

MysteryBot using the most innovative techniques to log the keystrokes and it logs the key regardless of the phone direction that could either horizontally or vertically.

According to threatfabric,  it also takes into consideration that each key has the same size and therefore is the same number of pixels away from the previous key. To summarize, it looks like this technique calculates the location for each row and places a View over each key.

Based on the code that has been analyzed from the sample, this keylogger seems to still be under development as there is no method has been used to send the logs to the C2 server

Ransomware

MysteryBot contains an embedded ransomware future that performs an encryption operation in the external storage and it locks individually all the files.

After the encryption process, it puts each file in the ZIP archive that protected with a password and the password is the same for all ZIP archives.

After complete all encryption Process, victims will be received a dialog box that indicates to watch the pornographic video to unlock the files.

To retrieve the password and be able to decrypt the files the user is instructed to e-mail the actor on his e-mail address.

Attacker maintains the separate interface called   “Myster_L0cker”  to manage the victims.

Overlays 

Overlays attack are performing to popup the fake page on the screen and trick victims to enter their specific account username and password and steal the credentials.

Previously used overlay attacks are not working in Android 7 and 8, so MysteryBot Trojan have been exploring new techniques to time the overlay attack correctly on Android 7 and 8.

Android Trojan overlay would make the overlay screen appear at an unexpected moment, resulting in the victim realizing presence of the malware

Since the MysteryBot Trojan required the  Android permissions, it employees the popular Accessibility Service that allowing the Trojan to enable and abuse any required permission without the consent of the victim.

Its installed the fake flash player app and triggered victim into providing the permission and gain the over access and steal the sensitive information such as credentials.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

White House Considers Oracle-Led Takeover of TikTok with U.S. Investors

In a significant development, the Trump administration is reportedly formulating a plan to prevent...

Critical Vulnerability in IBM Security Directory Enables Session Cookie Theft

IBM has announced the resolution of several security vulnerabilities affecting its IBM Security Directory...

Critical Apache Solr Vulnerability Grants Write Access to Attackers on Windows

A new security vulnerability has been uncovered in Apache Solr, affecting versions 6.6 through...

GitHub Vulnerability Exposes User Credentials via Malicious Repositories

A cybersecurity researcher recently disclosed several critical vulnerabilities affecting Git-related projects, revealing how improper...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

New Phishing Framework Attack Multiple Brands Login Pages To Steal Credentials

Researchers have identified a sophisticated phishing tactic leveraging Cloudflare's workers.dev, a free domain name...

Weaponised XWorm RAT Builder Attacking Script Kiddies To Hack 18,000 Devices

A recent cybersecurity attack involving a Trojanized version of the XWorm Remote Access Trojan...

LockBit Ransomware: 11-Day Timeline from Initial Compromise to Deployment

A well-coordinated cyber intrusion, spanning 11 days, culminated in the deployment of LockBit ransomware...