Tuesday, July 16, 2024

MysteryBot – Powerful Android Banking Trojan Launch Keylogger, Overlay & Ransomware in Single Attack

Newly Discovered Android-based MysteryBot Trojan launches various attack such as overlay, keylogger, and Ransomware in a single attack to perform various malicious activities.

Based on activities and behavior, researchers believe that MysteryBot Trojan is another powerful banking trojan that inherits LokiBot, both Android banker is running on the same C&C server.

Also, MysteryBot Trojan might next version of LokiBot banking Trojan and the both Trojan has been developed by the same Malware author.

MysteryBot is capable of performing various malicious activities,  such as making a phone call, stealing the contact information, forwarding the incoming calls to another device, setting the keylogger and encrypt the device files and deletes all contact information on the device.

Also, an attacker launches various commands and control the infected system to steal the sensitive data. Following are the commands used by attackers.

MysteryBot Trojan Infection Capabilities

MysteryBot infection typically performing 3 major attacks on a compromised victim’s Android device and performing various stealing activities.


MysteryBot is using sophisticated keylogging functionality that never known before and it, employees, two other banking Trojan’s keylogging Module (CryEye and Anubis) to abuse the Android Accessibility service.

This attack mostly needs more user interaction to be a successful attack, attack trick users to grant the permission for accessibility service to log the keystrokes or make screenshots upon keypresses.

MysteryBot using the most innovative techniques to log the keystrokes and it logs the key regardless of the phone direction that could either horizontally or vertically.

According to threatfabric,  it also takes into consideration that each key has the same size and therefore is the same number of pixels away from the previous key. To summarize, it looks like this technique calculates the location for each row and places a View over each key.

Based on the code that has been analyzed from the sample, this keylogger seems to still be under development as there is no method has been used to send the logs to the C2 server


MysteryBot contains an embedded ransomware future that performs an encryption operation in the external storage and it locks individually all the files.

After the encryption process, it puts each file in the ZIP archive that protected with a password and the password is the same for all ZIP archives.

After complete all encryption Process, victims will be received a dialog box that indicates to watch the pornographic video to unlock the files.

To retrieve the password and be able to decrypt the files the user is instructed to e-mail the actor on his e-mail address.

Attacker maintains the separate interface called   “Myster_L0cker”  to manage the victims.


Overlays attack are performing to popup the fake page on the screen and trick victims to enter their specific account username and password and steal the credentials.

Previously used overlay attacks are not working in Android 7 and 8, so MysteryBot Trojan have been exploring new techniques to time the overlay attack correctly on Android 7 and 8.

Android Trojan overlay would make the overlay screen appear at an unexpected moment, resulting in the victim realizing presence of the malware

Since the MysteryBot Trojan required the  Android permissions, it employees the popular Accessibility Service that allowing the Trojan to enable and abuse any required permission without the consent of the victim.

Its installed the fake flash player app and triggered victim into providing the permission and gain the over access and steal the sensitive information such as credentials.


Latest articles

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...

Malicious NuGet Campaign Tricking Developers To Inject Malicious Code

Hackers often target NuGet as it's a popular package manager for .NET, which developers...

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Airlines often become the target of hackers as they contain sensitive personal and financial...

DarkGate Malware Exploiting Excel Files And SMB File Shares

DarkGate, a Malware-as-a-Service (MaaS) platform, experienced a surge in activity since September 2023, employing...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles