MysteryBot is an Android malware discovered by security researchers at ThreatFabric that comes disguised as a Flash Player app and contains three components: a banking trojan, keylogger, and mobile ransomware. MysteryBot uses a C2 server that was previously used by the LokiBot baking trojan, suggesting that it was developed by the same threat actor or group. This Android malware is able to show overlay screens on Android 7 and 8 by utilizing the Usage Access permission; previous Android banking malware variants had failed to do this due to the security features added by Google engineers. The keylogger component of the malware is used by recording the location of a touch gesture and using this to determine which key was selected. Just like LokiBot, MysterBot contains a ransomware module that takes each of the device's file individually and locks them in a password-protected ZIP file, as opposed to encrypting the files. However, the password used for the ZIP files are only 8 characters long, making brute-forcing the password easier and making it possible for victims to regain access to their files. which can ultimately be brute-forced. Additionally, the victim is given an ID of a number between 0 and 9999; however, no verification is done to ensure the ID is not already in use. Therefore, IDs will be overwritten by a newer victim and the older victim's files are unable to be recovered.

Reporting and Technical Details

  • ThreatFabric provides more technical details on MysteryBot, here.