Severity scale:  
  (80/100)

MysteryBot virus. How to remove? (Uninstall guide)

removal by Gabriel E. Hall - - | Type: Malware

MysteryBot – a mobile banking trojan that attacks Android 7 and 8 users

MysteryBot malware
MysteryBot - a mobile banking trojan that targets Android devices.

MysteryBot is a mobile virus that targets Android users. This advanced Android virus[1] seems to be related to LokiBot malware[2] which has been detected in 2017. However, the recent mobile malware is capable of stealing banking information, operating as a keylogger and contains a ransomware-type virus. The virus spreads as a fake Adobe Flash Player app and after infiltration gets administrative rights of the device. Since then it can perform its malicious activities.

Summary of the cyber threat
Name MysteryBot
Type Malware
Targeted OS Android 7 and 8
Features Banking trojan, keylogger, ransomware
Relation LokiBot malware
Distribution Fake Adobe Flash Player app
Elimination To uninstall MysteryBot, install Reimage and run a full system scan

According to the research data,[3] MysteryBot virus uses the same Command and Control (C&C) server like LokiBot. Researchers assume that it might be an updated version of the latter malware or a brand new cyber threat created by the same hackers.

MysteryBot malware targets mobile devices that run on Android 7 and 8 operating system. The virus uses an advanced overlay attack and employs the Android PACKAGE_USAGE_STATS permission (commonly named Usage Access permission) to steal banking credentials. It also uses AccessibilityService that allows operating without user’s knowledge.

However, MysteryBot is not a regular banking trojan. It has an advanced functionality, and can perform the following tasks on the affected Android device:

  • make, stop or forward phone calls;
  • access contact list,
  • copy, delete and send SMS messages,
  • operates as keylogger and copies all used keystrokes;
  • encrypt files;
  • delete contact information;
  • call USSD number;
  • steal emails;
  • give attackers remote access to the device.

This mobile banking trojan uses a sophisticated keylogging technique to get needed sensitive information. Instead of stealing keystrokes or making screenshots by exploiting Android Accessibility Service, MysteryBot can recognize device’s keyboard:

It considers that each key of the keyboard has a set location on the screen, on any given phone and regardless if the phone is in held horizontally or vertically, it also takes into consideration that each key has the same size and therefore is the same number of pixels away from the previous key. To summarize, it looks like this technique calculates the location for each row and places a View over each key. This view has a width and height of 0 pixels and due to the “FLAG_SECURE” setting used, the views are not visible in screenshots. Each view is then paired to a specific key in such a way that it can register the keys that have been pressed which are then saved for further use. [Source: ThreatFabric]

Researchers tell that this code is still in-dev mode. Therefore, malware might be still improved. In case of the attack, it’s important to remove MysteryBot as soon as possible to avoid serious privacy-related issues. However, this nasty cyber threat might be hard to get rid of. So, you should powerful professional tools like Reimage or Malwarebytes Anti Malware and get rid of it automatically.

After MysteryBot removal, it is recommended to change all your account passwords to protect your privacy and accounts from being hacked and used for malicious purposes. Moreover, you should monitor your banking transactions. If you notice some suspicious activity, report your bank immediately.

The MysteryBot virus can operate as ransomware

This Android malware has built-in ransomware virus. Dubbed as Mystery_L0cker, the file-encrypting virus starts scanning the system and looking for the targeted files as soon as it gets into the system. When it finds needed files, it places them the individual password-protected ZIP archives and then deletes original copies of the files.

Each victim receives a unique a unique password. However, researchers report that functionality of MysteryBot ransomware is not great. Due to some error during the encryption, some victims may not be able to recover their files.

MysteryBot ransomware
MysteryBot ransomware encrypts various files and asks victims to send an email to a specific address in order to get access to the data.

However, following the encryption, malware delivers a message that the Android device is blocked because of accessing pornographic videos. However, the message tells that victims can restore their device and files by sending an email to googleprotect@mail.ru address and following their guidelines.

There’s no doubt that victims will be asked to pay a couple of hundred dollars in cryptocurrency in order to get back access to their files and device. However, security experts from LosVirus.es[4] note that such deal might end up with a money loss. As we have already mentioned, some victims may not be able to recover their files in general. Instead of risking to experience a bigger damage, remove MysteryBot malware form the device.

Android malware spreads as a fake Adobe Flash Player app

Android banking trojan gets into the system when people install fake Adobe Flash Player from third-party app stores or ads. Therefore, users are advised to stay away from suspicious stores and stick to the official Google Play Store.

Indeed, malware might bypass official store’s security too. However, chances to download malware from there is not that huge, especially, if you follow these security tips:

  • 
Install apps only from trusted developers;
  • Read app permissions and do not install apps that require administrative access to your device or other permissions that are unnecessary for its operation;
  • Read terms of use, privacy policy and other provided information by the developers;
  • Read user reviews outside the app store.

Eliminate MysteryBot malware from Android smartphones and tablets

In order to remove MysteryBot from the device, you have to uninstall fake Adobe Flash Player app and other malicious components from the Android OS. However, this sophisticated malware might block such attempts. For this reason, you may need to reboot your device to Safe Mode:

  1. Press and hold a power button for a couple of seconds until you see a menu.
  2. Tap and hold Power off.
  3. In the appeared prompt click OK to confirm to boot Android to Safe Mode.

If these steps did not help, just turn on and turn off your device. When try pressing and holding Menu, Volume Down, Volume Up (or Volume Down and Volume Up) simultaneously to see Safe Mode option.

When in Safe Mode, access App manager and uninstall malicious apps. However, we also recommend scanning the device with Reimage, Malwarebytes Anti Malware or another anti-malware that is compatible with your mobile device. Then you can be sure that MysteryBot removal is successful.

Once your device is virus free, change your account passwords and monitor banking transactions. If you notice something suspicious on your account, inform your bank. They will stop unknown transactions and offer the help you need.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove MysteryBot virus you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall MysteryBot virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

About the author

Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Gabriel E. Hall
About the company Esolutions

References