Sunday, March 3, 2024

MysteryBot – Powerful Android Banking Trojan Launch Keylogger, Overlay & Ransomware in Single Attack

Newly Discovered Android-based MysteryBot Trojan launches various attack such as overlay, keylogger, and Ransomware in a single attack to perform various malicious activities.

Based on activities and behavior, researchers believe that MysteryBot Trojan is another powerful banking trojan that inherits LokiBot, both Android banker is running on the same C&C server.

Also, MysteryBot Trojan might next version of LokiBot banking Trojan and the both Trojan has been developed by the same Malware author.

MysteryBot is capable of performing various malicious activities,  such as making a phone call, stealing the contact information, forwarding the incoming calls to another device, setting the keylogger and encrypt the device files and deletes all contact information on the device.

Also, an attacker launches various commands and control the infected system to steal the sensitive data. Following are the commands used by attackers.

MysteryBot Trojan Infection Capabilities

MysteryBot infection typically performing 3 major attacks on a compromised victim’s Android device and performing various stealing activities.


MysteryBot is using sophisticated keylogging functionality that never known before and it, employees, two other banking Trojan’s keylogging Module (CryEye and Anubis) to abuse the Android Accessibility service.

This attack mostly needs more user interaction to be a successful attack, attack trick users to grant the permission for accessibility service to log the keystrokes or make screenshots upon keypresses.

MysteryBot using the most innovative techniques to log the keystrokes and it logs the key regardless of the phone direction that could either horizontally or vertically.

According to threatfabric,  it also takes into consideration that each key has the same size and therefore is the same number of pixels away from the previous key. To summarize, it looks like this technique calculates the location for each row and places a View over each key.

Based on the code that has been analyzed from the sample, this keylogger seems to still be under development as there is no method has been used to send the logs to the C2 server


MysteryBot contains an embedded ransomware future that performs an encryption operation in the external storage and it locks individually all the files.

After the encryption process, it puts each file in the ZIP archive that protected with a password and the password is the same for all ZIP archives.

After complete all encryption Process, victims will be received a dialog box that indicates to watch the pornographic video to unlock the files.

To retrieve the password and be able to decrypt the files the user is instructed to e-mail the actor on his e-mail address.

Attacker maintains the separate interface called   “Myster_L0cker”  to manage the victims.


Overlays attack are performing to popup the fake page on the screen and trick victims to enter their specific account username and password and steal the credentials.

Previously used overlay attacks are not working in Android 7 and 8, so MysteryBot Trojan have been exploring new techniques to time the overlay attack correctly on Android 7 and 8.

Android Trojan overlay would make the overlay screen appear at an unexpected moment, resulting in the victim realizing presence of the malware

Since the MysteryBot Trojan required the  Android permissions, it employees the popular Accessibility Service that allowing the Trojan to enable and abuse any required permission without the consent of the victim.

Its installed the fake flash player app and triggered victim into providing the permission and gain the over access and steal the sensitive information such as credentials.


Latest articles

AI Worm Developed by Researchers Spreads Automatically Between AI Agents

Researchers have developed what they claim to be one of the first generative AI...

20 Million+ Cutout.Pro User Records Leaked On Hacking Forums

CutOut.Pro, an AI-powered photo and video editing platform, has reportedly suffered a data breach,...

CWE Version 4.14 Released: What’s New!

The Common Weakness Enumeration (CWE) project, a cornerstone in the cybersecurity landscape, has unveiled...

RisePro Stealer Attacks Windows Users Steals Sensitive Data

A new wave of cyber threats has emerged as the RisePro information stealer targets...

Golden Corral Restaurant Chain Hacked: 180,000+ Users’ Data Stolen

The Golden Corral Corporation, a popular American restaurant chain, has suffered a significant data...

CISA Warns Of Hackers Exploiting Multiple Flaws In Ivanti VPN

Threat actors target and abuse VPN flaws because VPNs are often used to secure...

BEAST AI Jailbreak Language Models Within 1 Minute With High Accuracy

Malicious hackers sometimes jailbreak language models (LMs) to exploit bugs in the systems so...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles