New Android Trojan; Of Malwares, MazarBOTs & Malicious APKs
Beware Android users, a new malware is currently circulating. The new malware is the Android Trojan banker, which is said to be capable of wiping clean the affected phone as well as stealing online banking details stored on the device, reports The Register.Advertisement
The malware was first discovered last Friday, when a bunch of SMS were received by some users. Most of the users, according to reports, are from Denmark. There might be some affected from other areas as well but so far, there is no information that indicates so.
The SMS are said to have contained a link which leads to a malicious (APK) application file for Android. The text message goes on as “You have received a multimedia message from +[country code][sender number] Follow the link http://www.mmsforyou[.]net/mms.apk to view the message.” Once the receiver of the message clicks the link and runs the APK on an Android powered mobile phone, the malware gains administrator rights to the user’s device, reports CSIS.
The malware is then able to do the following commands on the victim’s phone: SEND_SMS, RECEIVE_BOOT_COMPLETED, INTERNET, SYSTEM_ALERT_WINDOW, WRITE_SMS, ACCESS_NETWORK_STATE, WAKE_LOCK, GET_TASKS, CALL_PHONE, RECEIVE_SMS, READ_PHONE_STATE, READ_SMS, and ERASE_PHONE.
The malicious APK was identified to be the Mazar Android BOT, which happens to be reported by the Recorded Future back in November 2015 when it was still being sold on Russian underground websites. The malicious APK then retrieves TOR and installs it on the affected phone through the harmless URLs: https://f-droid.org/repository/browse/?fdid=org.torproject.android and https://play.google.com/store/apps/details?id=org.torproject.android.
After this level is achieved, the infection is set to unpack and run the TOR application which will connect to the server http://pc35hiptpcwqezgs[.]onion. What would happen next is that an automated SMS will then be sent to the number 9876543210 including a message that says “Thank You.” Unfortunately the text message is said to also include the affected device’s location data.
The malware is bad news as it can leave the mobile phone user open to hostile attacks. Once infected, the malware can open a backdoor into the device, monitor and control it as they please. The attackers can also send text messages to premium-rate numbers which means they can increase the victim’s phone bill without the victim even knowing why.
The evil geniuses behind the Android Trojan can even read the victim’s text messages so they are able to also read authentication codes sent as part of authentication which is usually used for online banking and e-commerce websites. But the bad things don’t stop there, as the attackers have also implemented the “Polipo proxy” which gives the attackers additional access to more Android functions.
Through the Polipo proxy, cyber criminals can then change the traffic and place themselves between the victim’s phone and a web-based service. This way, they can distance themselves from any tracks they might leave making it a perfect man-in-the-middle attack scenario. But the malware doesn’t stop at that as the MazarBOT can also inject itself into Chrome.
It was interesting to know though that once the malware determines that the device it invaded is owned by a user in Russia, MazarBOT will stop the malicious APK. Meanwhile, it has been revealed that this is the first time that the malware was used in active attacks. In the past it was advertised for sale but that was it until this Friday.