Skip to Main Content
MysteryBot - the Android malware that's keylogger, ransomware, and trojan

MysteryBot – the Android malware that’s keylogger, ransomware, and trojan

There is a new malware in town – and it’s being targeted at Android users. The app called MysteryBot is still under development and provides everything a criminal inclined person could ever want in one neat little package: It is not only a Banking Trojan but also a keylogger and mobile ransomware.

The MysteryBot Android Trojan was recently discovered by ThreatFabric who thought it to be just another improved version of LokiBot. After investigating further it was quickly noticed however that – while based on LokiBot and most likely also developed by the same cybercriminals – it was completely rebranded and much “improved”.

A closer look at the malware

It comes disguised as a Flash player app

While Flash might disappear in 2020, there are still ample pages that use the player. Which is why a malware posing as an Adobe Flash Player app can easily find its way on the phones of potential victims. Same as most apps, MysteryBot will ask the users to get a couple of permissions. Once granted it can and will proceed with its nefarious purpose.

All those features in one malware

As soon as it’s on the victim’s device, the Trojan can execute one of the following built-in commands that the security researchers were able to compile:

  • CallToNumber — Calls a given phone number from the infected device.
  • Contacts — Gets contact list information (phone number and name of contacts).
  • De_Crypt — No code present, in development (probably decrypts the data / reverse the ransomware).
  • ForwardCall — Forwards incoming calls of the device to another number.
  • GetAlls — Shortened for GetAllSms, copies all the SMS messages from the device.
  • GetMail — No code present, in development (probably stealing emails from the infected device).
  • Keylogg — Copy and saves keystrokes performed on the infected device.
  • ResetCallForwarding — Stops the forwarding of incoming calls.
  • Screenlock — Encrypts all files in the External Storage Directory and deletes all contact information on the device.
  • Send_spam — Sends a given SMS message to each contact in the contact list of the device.
  • Smsmnd — Replaces the default SMS manager on the device, meant for SMS interception.
  • StartApp — No code present, in development (probably allows to remotely start an application on the infected device).
  • USSD — Calls a USSD number from the infected device.
  • dell_sms — Deletes all SMS messages on the device.
  • send_sms — Sends a given SMS message to a specific number.

Phishing more sophisticated than ever

While the above list is already pretty impressive, there is still more. The bot also uses a new technique in order to overlay phishing screens which actually work reliably on Android 7 and 8. Due to some restrictions employed by Security Enhanced Linux (SELinux) and other security controls, this has been made exceedingly hard for malware creators in the past. The new and improved phishing screen targets over 100 applications, some of which are mobile banking and social platforms apps.

A new kind of keylogger

Talking about innovation: The bot also uses a new method of logging what is being typed. Instead of taking screenshots at the moment the users press the keys on their touchscreens the MysteryBot calculates the on-screen location of the keys. Thanks to the then created grid it can guess what keys are being tapped. While this component is not working yet according to ThreatFabric, it will most likely be deployed in the near future.

Ransomware Mytery_L0cker

Last but not least MysteryBot also contains a built-in ransomware. Instead of encrypting the files though, it locks them all away in individual password protected .zip archives. Once done it tells the victims that they were watching pornographic content and need to contact the provided email address.

Image Source: ThreatFabric

The ransomware module is where the bot gets a bit shoddy, according to the researchers. The generated password is 8 characters long and consists of all characters of the Latin alphabet (upper and lower case) combined with numbers. This does not leave room for a lot of combinations and could easily be brute-forced.

How to stay safe

“MysteryBot is still under development at the time of writing and not widely spread,” is the statement the researchers finished their blog article with. While this is certainly true there is still other malware up and about and the bot itself will be amongst it at some point in the future, too.

So what can you do to stay safe?

  • Have a good and up-to-date antivirus – even for your mobile. Fabian Sanz, Security Researcher at the Avira Protection Labs says: “The MysteryBot which has surfaced now may only be an early development version, but with its potential it already is devastating.
    The Protection Labs of Avira will continue to closely monitor upcoming threats coming from this malware to protect our users from getting compromised in the future.”
  • Only use the official Google Play Store to download your apps. It’s just so much safer! Malicious apps can still find their way in there but it’s a lot less likely.
  • Use your brain. If an app wants way too much access to your smartphone’s systems: investigate first – especially when it is the accessibility service. That’s the access most often requested by ransomware and keyloggers but almost by no other app.

This post is also available in: German

EMEA & APAC Content Manager @ Norton & Avira | Gamer. Geek. Tech addict.