MysteryBot

Researchers at ThreatFabric have discovered a new Android malware under development dubbed MysteryBot. The malware is disguised as a Flash Player application and contains a banking trojan, keylogger, and ransomware. MysteryBot uses a command-and-control (C2) server previously used by the LokiBot banking trojan and its structure is very similar, suggesting it could have been developed by the same person or group. MysteryBot is the first known banking malware with the ability to display overlay screens on both Android 7 and 8. The malware displays fake login pages on top of legitimate apps in order to steal user credentials and, while some keyloggers take screenshots the moment a user taps a key, MysteryBot records the location of a touch gesture and uses that to determine which key was selected. The malware’s ransomware module locks each device file in an individual password-protected ZIP archive. The password, however, is only eight characters long, making it easier for the victim to brute-force and regain access to their files. The NJCCIC recommends Android users review the ThreatFabric report on MysteryBot, avoid downloading apps from third-party app stores, and be sure to run a reputable and updated anti-malware software on all devices. For information on additional Android malware variants, please visit the NJCCIC threat profile page here.