Swiss Knife Illustrating The New Sophisticated Malware 'MysteryBot'

Shield Against the New Android Banking Malware ‘MysteryBot’

Users often think of hackers as programmers who bang away at programming code to break into computer networks and devices. The MysteryBot malware is one of a long line of economically designed malware that disproves that misconception.

Mysterybot’s Bag of Tricks

MysteryBot targets the banking apps Promon developed its Application Shielding technology to protect.

MysteryBot is a like a digital swiss knife crafted to wreak havoc on mobile devices. Its primary modus operandi is to overlay screens that steal user credentials in ways far more successful than Android malware that preceded it. It also has a clever keylogger like none other!

MysteryBot achieves malicious ends by disguising itself as an update to Adobe’s Flash Player in Android app stores. “In general, the consumer must be aware that all the so-called ‘Flash Player (update) apps’ that can be found in and outside the various app stores are malware,” ThreatFabric told Bleeping Computer. ThreatFabric is the cybersecurity outfit that first spotted and then analyzed MysteryBot.

Once a user downloads the fake app, the malware shows its true nature by asking the user for permission to access Android’s Accessibility Services. Entry into the feature gives hackers complete control over the device. Black Hat’s can then control the flow of programs on the device, access other apps, and transmit stolen information back to a central network server. MysteryBot extends its control of the screen by changing what users see on the display and recording keystrokes.

Screen overlays

Picture showing a malicious extra layer on top of the user log-in interface of an appMysteryBot has advanced the practice of screen overlays. Screen overlays offer users a fake display into which they may enter their credentials to access their bank accounts.

Depending on the banking app the user wants to use, MysteryBot refers to its own library of fake overlays to display the appropriate one and steal whatever the user types in. But MysteryBot doesn’t always need a screen overlay to steal what users type into their devices.


The maker of MysteryBot has created a keylogger unlike any seen before in the Android space. Most keyloggers take screenshots at the moment a user presses a key on the keyboard to record what the user is typing. MysteryBot records the position of a tap on the screen instead. Then, the keylogger guesses the next key the user will press based on the tap’s screen position.

As malware get smarter, app providers should protect apps from the “inside out” and secure the increasingly common entry point: high-value apps.