New MysteryBot Malware Targets Devices Running on Android 7 and 8


Researchers discovered a new Android Banking Trojan dubbed MysteryBot which shares some similarities with the LokiBot malware.

Security researchers at Threat Fabric who discovered the malware said the both MysteryBot and LokiBot malware were running on the same C&C server.

The MysteryBot malware contains combined features of a banking trojan, ransomware, and keylogger making it more harmful than any other recently discovered malware.

“During the investigation of its network activity, we found out that MysteryBot and LokiBot Android banker are both running on the same C&C server. This quickly brought us to an early conclusion that this newly discovered Malware is either an update to Lokibot, either another banking trojan developed by the same actor.”

The major difference from LokiBot malware is that attackers improved the commands and changed the name of the bot and panel to MysteryBot and also altered the network communication.

The MysteryBot Banking Trojan is capable of

  1. Making phone calls or forwarding phone calls to another number.
  2. Steal contact information from the device
  3. Extract or delete text messages on the device
  4. Can send a text message to a specific number or to all the contacts in the device
  5. Copies and save keystrokes
  6. Encrypts files on the external device and delete all the information on the infected device

The malware is distributed through fake Adobe flash player targeting device running on Android 7 and 8.

In 7 and 8 version of Android previously used overlay attack techniques were less affected due to the security protections like Security-Enhanced Linux (SELinux) and other security controls (sandbox restrictions). These prevent malware from displaying fake pages over apps.

To overcome these attackers used a new technique by abusing the Android PACKAGE_USAGE_STATS permission (commonly named Usage Access permission).

The MysteryBot  employs the  AccessibilityService which allows the malware to enable and abuse any required permission without the consent of the victim.

“It seems that the reason for the victims to grant such permissions and the number of benign apps nowadays asking for exhaustive sets of permissions, making it common for users to grant permissions without reviewing the permissions requested. At the moment MysteryBot is not using such MO to get the Usage Access permission, but will ask the victim or it directly.” said in the post published by Threat Fabric.

According to researchers the malware is still under development and has not spread yet widely.

Always follow these basic steps to prevent your smartphone from infection:

  1. Always switch off “Allow installation from unknown sources” in security settings thereby restricting download apps from a third party and anonymous sources.
  2. Don’t download attachments from unknown sources.
  3. Always Use google play store to install apps, don’t use any third party app stores.
  4. Download apps from verified developers and check their app rating and download counts before installing an app.
  5. Verify app permission before installing an app.
  6. Install the best and updated antivirus/anti-malware software which can detect and block these type of malware.
  7. Always keep play protection ON
  8. Always keep your device OS and apps up to date.

Please rate this content