A fresh campaign bent on information exfiltration and erasing unsuspecting victims’ phones is spreading via random text message.
Heimdal Security uncovered the Mazar BOT Android malware, which, aside from being new on the scene, is notable in that it gains administrative rights that give it the ability to do almost anything with the victim's phone.
The malware also can read SMS messages, which means it can also read authentication codes sent as part of two-factor authentication mechanisms, used also by online banking apps and ecommerce websites.
The attack chain begins with a message: “You have received a multimedia message from +[country code] [sender number] Follow the link http: //www.mmsforyou [.] Net / mms.apk to view the message.”
If the APK, a program file for Android, is run, it will gain administrator rights on the victim’s device. The malicious APK also retrieves TOR and installs it on the victim’s phone, and then uses the anonymity browser to connect to the command and control server.
From there, the attackers can do any number of things, including harvesting data, tracking locations, monitoring messages and calls, and even erasing the phone altogether. Attackers also can do things like send SMS messages to premium channel numbers, seriously increasing the victim’s phone bill.
But wait, there’s more.
Heimdal noted that the attackers behind Mazar BOT also implemented the Polipo proxy, which is used to cache web pages for offline access, amongst other things. Through this proxy, cyber-criminals can change the traffic flow and interpose themselves between the victim’s phone and a web-based service, for a man-in-the-middle attack.
Interestingly, the code contains protections for Russians.
“Our team was not surprised to observe that the malware cannot be installed on smartphones running Android with the Russian language option,” said Andra Zaharia, security specialist at Heimdal Security, in a blog. “Mazar BOT will check the phone to identify the victim’s country and this will stop the malicious APK if the targeted phone turns out to be owned by a Russian user.”
Until now, Mazar BOT has been advertised for sale on several websites on the Dark Web, but this is the first time we’ve seen this code be abused in active attacks, she added.
“Attackers may be testing this new type of Android malware to see how they can improve their tactics and reach their final goals, which probably is making more money (as always),” Zaharia said. “We can expect this malware to expand its reach, also because of its ability to remain covert by using TOR to hide its communication.”
Photo © evgdemidova