MysteryBot Trojan

Newly Discovered Android-based MysteryBot Trojan launches various attack such as overlay, keylogger, and Ransomware in a single attack to perform various malicious activities.

Based on activities and behavior, researchers believe that MysteryBot Trojan is another powerful banking trojan that inherits LokiBot, both Android banker is running on the same C&C server.

Also, MysteryBot Trojan might next version of LokiBot banking Trojan and the both Trojan has been developed by the same Malware author.

MysteryBot is capable of performing various malicious activities,  such as making a phone call, stealing the contact information, forwarding the incoming calls to another device, setting the keylogger and encrypt the device files and deletes all contact information on the device.

Also, an attacker launches various commands and control the infected system to steal the sensitive data. Following are the commands used by attackers.

MysteryBot Trojan Infection Capabilities

MysteryBot infection typically performing 3 major attacks on a compromised victim’s Android device and performing various stealing activities.


MysteryBot is using sophisticated keylogging functionality that never known before and it, employees, two other banking Trojan’s keylogging Module (CryEye and Anubis) to abuse the Android Accessibility service.

This attack mostly needs more user interaction to be a successful attack, attack trick users to grant the permission for accessibility service to log the keystrokes or make screenshots upon keypresses.

MysteryBot using the most innovative techniques to log the keystrokes and it logs the key regardless of the phone direction that could either horizontally or vertically.

According to threatfabric,  it also takes into consideration that each key has the same size and therefore is the same number of pixels away from the previous key. To summarize, it looks like this technique calculates the location for each row and places a View over each key.

Based on the code that has been analyzed from the sample, this keylogger seems to still be under development as there is no method has been used to send the logs to the C2 server


MysteryBot contains an embedded ransomware future that performs an encryption operation in the external storage and it locks individually all the files.

After the encryption process, it puts each file in the ZIP archive that protected with a password and the password is the same for all ZIP archives.

After complete all encryption Process, victims will be received a dialog box that indicates to watch the pornographic video to unlock the files.

To retrieve the password and be able to decrypt the files the user is instructed to e-mail the actor on his e-mail address.

Attacker maintains the separate interface called   “Myster_L0cker”  to manage the victims.


Overlays attack are performing to popup the fake page on the screen and trick victims to enter their specific account username and password and steal the credentials.

Previously used overlay attacks are not working in Android 7 and 8, so MysteryBot Trojan have been exploring new techniques to time the overlay attack correctly on Android 7 and 8.

Android Trojan overlay would make the overlay screen appear at an unexpected moment, resulting in the victim realizing presence of the malware

Since the MysteryBot Trojan required the  Android permissions, it employees the popular Accessibility Service that allowing the Trojan to enable and abuse any required permission without the consent of the victim.

Its installed the fake flash player app and triggered victim into providing the permission and gain the over access and steal the sensitive information such as credentials.

Leave a Reply