MysteryBot – a mobile banking trojan that attacks Android 7 and 8 users
MysteryBot is a mobile virus that targets Android users. This advanced Android virus seems to be related to LokiBot malware which has been detected in 2017. However, the recent mobile malware is capable of stealing banking information, operating as a keylogger and contains a ransomware-type virus. The virus spreads as a fake Adobe Flash Player app and after infiltration gets administrative rights of the device. Since then it can perform its malicious activities.
|Summary of the cyber threat|
|Targeted OS||Android 7 and 8|
|Features||Banking trojan, keylogger, ransomware|
|Distribution||Fake Adobe Flash Player app|
|Elimination||To uninstall MysteryBot, install Reimage and run a full system scan|
According to the research data, MysteryBot virus uses the same Command and Control (C&C) server like LokiBot. Researchers assume that it might be an updated version of the latter malware or a brand new cyber threat created by the same hackers.
MysteryBot malware targets mobile devices that run on Android 7 and 8 operating system. The virus uses an advanced overlay attack and employs the Android PACKAGE_USAGE_STATS permission (commonly named Usage Access permission) to steal banking credentials. It also uses AccessibilityService that allows operating without user’s knowledge.
However, MysteryBot is not a regular banking trojan. It has an advanced functionality, and can perform the following tasks on the affected Android device:
- make, stop or forward phone calls;
- access contact list,
- copy, delete and send SMS messages,
- operates as keylogger and copies all used keystrokes;
- encrypt files;
- delete contact information;
- call USSD number;
- steal emails;
- give attackers remote access to the device.
This mobile banking trojan uses a sophisticated keylogging technique to get needed sensitive information. Instead of stealing keystrokes or making screenshots by exploiting Android Accessibility Service, MysteryBot can recognize device’s keyboard:
It considers that each key of the keyboard has a set location on the screen, on any given phone and regardless if the phone is in held horizontally or vertically, it also takes into consideration that each key has the same size and therefore is the same number of pixels away from the previous key. To summarize, it looks like this technique calculates the location for each row and places a View over each key. This view has a width and height of 0 pixels and due to the “FLAG_SECURE” setting used, the views are not visible in screenshots. Each view is then paired to a specific key in such a way that it can register the keys that have been pressed which are then saved for further use. [Source: ThreatFabric]
Researchers tell that this code is still in-dev mode. Therefore, malware might be still improved. In case of the attack, it’s important to remove MysteryBot as soon as possible to avoid serious privacy-related issues. However, this nasty cyber threat might be hard to get rid of. So, you should powerful professional tools like Reimage or Malwarebytes and get rid of it automatically.
After MysteryBot removal, it is recommended to change all your account passwords to protect your privacy and accounts from being hacked and used for malicious purposes. Moreover, you should monitor your banking transactions. If you notice some suspicious activity, report your bank immediately.
MysteryBot - an Android banking trojan that operates as keylogger and ransomware too.
The MysteryBot virus can operate as ransomware
This Android malware has built-in ransomware virus. Dubbed as Mystery_L0cker, the file-encrypting virus starts scanning the system and looking for the targeted files as soon as it gets into the system. When it finds needed files, it places them the individual password-protected ZIP archives and then deletes original copies of the files.
Each victim receives a unique a unique password. However, researchers report that functionality of MysteryBot ransomware is not great. Due to some error during the encryption, some victims may not be able to recover their files.
MysteryBot ransomware encrypts various files and asks victims to send an email to a specific address in order to get access to the data.
However, following the encryption, malware delivers a message that the Android device is blocked because of accessing pornographic videos. However, the message tells that victims can restore their device and files by sending an email to email@example.com address and following their guidelines.
There’s no doubt that victims will be asked to pay a couple of hundred dollars in cryptocurrency in order to get back access to their files and device. However, security experts from LosVirus.es note that such deal might end up with a money loss. As we have already mentioned, some victims may not be able to recover their files in general. Instead of risking to experience a bigger damage, remove MysteryBot malware form the device.
Android malware spreads as a fake Adobe Flash Player app
Android banking trojan gets into the system when people install fake Adobe Flash Player from third-party app stores or ads. Therefore, users are advised to stay away from suspicious stores and stick to the official Google Play Store.
Indeed, malware might bypass official store’s security too. However, chances to download malware from there is not that huge, especially, if you follow these security tips:
- Install apps only from trusted developers;
- Read app permissions and do not install apps that require administrative access to your device or other permissions that are unnecessary for its operation;
- Read user reviews outside the app store.
Eliminate MysteryBot malware from Android smartphones and tablets
In order to remove MysteryBot from the device, you have to uninstall fake Adobe Flash Player app and other malicious components from the Android OS. However, this sophisticated malware might block such attempts. For this reason, you may need to reboot your device to Safe Mode:
- Press and hold a power button for a couple of seconds until you see a menu.
- Tap and hold Power off.
- In the appeared prompt click OK to confirm to boot Android to Safe Mode.
If these steps did not help, just turn on and turn off your device. When try pressing and holding Menu, Volume Down, Volume Up (or Volume Down and Volume Up) simultaneously to see Safe Mode option.
When in Safe Mode, access App manager and uninstall malicious apps. However, we also recommend scanning the device with Reimage, Malwarebytes or another anti-malware that is compatible with your mobile device. Then you can be sure that MysteryBot removal is successful.
Once your device is virus free, change your account passwords and monitor banking transactions. If you notice something suspicious on your account, inform your bank. They will stop unknown transactions and offer the help you need.