Mazar BOT Android Malware Can Erase Your Phone’s Data, Except If You’re Russian

Share this…

Mazar BOT is spread around via SMS/MMS spam. A new Android malware variant has surfaced that has rooting capabilities, can wipe your phone’s storage, and has many other hidden capabilities that transform your precious phone into a zombie inside some hacker’s botnet, Heimdal Security reports.

The way this malware spreads is unique, compared to other similar Android threats that rely on users installing apps from third-party app stores. In Mazar’s case users receive spam SMS/MMS messages with a link to a malicious APK (Android app file).

If the user fails for the spam and visits the link, he’ll download the APK file on his Android. If he runs it, he’ll be prompted to install a new app.

This new app has a generic name, MMS Messaging, and also asks for admin privileges, which most inexperienced users will give it because of its name.

Mazar is packed full of intrusive functions

Once root access is gained, Mazar can do a lot of nasty stuff on your device, such as gain boot persistence to survive device restarts, send and read SMS messages, call other numbers, read the phone’s state, inject itself into Chrome, alter phone settings, control phone keys, force the phone into sleep mode, query the network status, and access the Internet.

The more dangerous ability Mazar gains during this stage is the power to wipe your device’s storage.

In their investigation, Heimdal’s staff observed Mazar BOT download a legitimate Tor Android app and install it. With this app installed, the malware will be able to surf the Internet anonymously via the Tor network.

Mazar BOT may be run by a Russian cyber-gang

Once Tor is installed, Mazar will also send message to an Iranian phone number with the message “Thank you.” This message acts like a beacon and includes the device’s location, letting the malware campaign’s owner know when his virus has recruited a new bot device into his network or infected phones.

In some cases, Mazar has also installed an Android app called Polipo proxy, which sets up a proxy on the device and allows the malware’s owner to spy on Web traffic and carry out MitM (Man in the Middle) attacks.

Despite sending that SMS message to an Iranian phone number, the Mazar BOT source code includes specific instructions to stop the installation process if the phone is configured to use the Russian language.

This is a much better clue about the malware author’s real location. It is an unwritten law in Russia that if cyber-criminals don’t go after Russians, Russian authorities won’t go after them.

The Mazar BOT was spotted for the first time last year by Recorded Future, being offered for sale on the underground malware market. This is the first case where Mazar was detected in real-life malware campaigns.

MMS Messaging app that delivers Mazar BOT

MMS Messaging app that delivers Mazar BOT