Mazar Bot malware can root and wipe Android smartphones
Security experts are warning about a new malware attack that targets Android users. Mazar Bot is delivered via SMS, is able to gain root access to devices, installs software including Tor, and can even go as far as completely wiping a victim's phone.
Mazar Bot was discovered by Heimdal Security whose researchers analyzed a text message that had been found sent to random numbers. The message purports to provide a link to an MMS, but in fact tricks recipients to install the malicious mms.apk -- Mazar Android BOT in disguise.
The message reads: "You have received a multimedia message from +[country code] [sender number] Follow the link http: //www.mmsforyou [.] Net / mms.apk to view the message", and would be enough to fool many people into clicking through to view what they believe to be a photo or video. The MMS Messaging app uses administrator privileges to gain access to permissions such as SEND_SMS, READ_PHONE_STATE, and ERASE_PHONE.
The malware also installs Tor, connects to the http://pc35hiptpcwqezgs.Onion server, and sends an SMS to an Iranian phone number revealing the handset's location. Heimdal Security warns that Mazar Bot can:
- Open a backdoor into Android smartphones, to monitor and control them as they please;
- Send SMS messages to premium channel numbers, seriously increasing the victim’s phone bill;
- Read SMS messages, which means they can also read authentication codes sent as part of two-factor authentication mechanisms, used also by online banking apps and ecommerce websites;
- Use their full access to Android phones to basically manipulate the device to do whatever they want.
But there is the risk of a man-in-the-middle attack using the Polipo proxy, and Mazar Bot can also inject itself into Chrome.
Interestingly -- and perhaps revealingly -- the malware will not install on handsets configured to use Russian. While Mazar Bot is not entirely new (it was first talked about back in November), it was previously restricted to advertisements on the Dark Web. This is the first time it has been seen out in the wild.