Mazar Bot malware can root and wipe Android smartphones


Security experts are warning about a new malware attack that targets Android users. Mazar Bot is delivered via SMS, is able to gain root access to devices, installs software including Tor, and can even go as far as completely wiping a victim's phone.

Mazar Bot was discovered by Heimdal Security whose researchers analyzed a text message that had been found sent to random numbers. The message purports to provide a link to an MMS, but in fact tricks recipients to install the malicious mms.apk -- Mazar Android BOT in disguise.


The message reads: "You have received a multimedia message from +[country code] [sender number] Follow the link http: //www.mmsforyou [.] Net / mms.apk to view the message", and would be enough to fool many people into clicking through to view what they believe to be a photo or video. The MMS Messaging app uses administrator privileges to gain access to permissions such as SEND_SMS, READ_PHONE_STATE, and ERASE_PHONE.

The malware also installs Tor, connects to the http://pc35hiptpcwqezgs.Onion server, and sends an SMS to an Iranian phone number revealing the handset's location. Heimdal Security warns that Mazar Bot can:

  • Open a backdoor into Android smartphones, to monitor and control them as they please;
  • Send SMS messages to premium channel numbers, seriously increasing the victim’s phone bill;
  • Read SMS messages, which means they can also read authentication codes sent as part of two-factor authentication mechanisms, used also by online banking apps and ecommerce websites;
  • Use their full access to Android phones to basically manipulate the device to do whatever they want.

But there is the risk of a man-in-the-middle attack using the Polipo proxy, and Mazar Bot can also inject itself into Chrome.

Interestingly -- and perhaps revealingly -- the malware will not install on handsets configured to use Russian. While Mazar Bot is not entirely new (it was first talked about back in November), it was previously restricted to advertisements on the Dark Web. This is the first time it has been seen out in the wild.

Photo credit: Georgejmclittle / Shutterstock

10 Responses to Mazar Bot malware can root and wipe Android smartphones

  1. Tor is browser software you can get on google play for android devices not a virus. get you facts straight.

    • Realist says:

      Please comprehend what you're reading before posting.

      It says that the virus installs TOR, not that TOR is the virus.

      Get your facts straight indeed.

      • Scare tactics "Realist" nothing mentioning the purpose for Tor..just that it downloads Tor, which causes a misplaced paranoia concerning the app itself. Insufficient data which could very well freak out the novice internet user for the sake of a story.

      • After all when an idiot writes something like,"The malware also installs Tor" without taking even a single sentence to explain what Tor is or what it does, nor do they even bother to explain that it's not about Tor briefly it spreads panic. So fuck this guy.

    • Mark Wilson says:

      Indeed... but that's not the payload of the malware!

  2. Incredibly lazy blogs posing as news never bother to post details

    • Kathleencflores1 says:

      ❝my .friend's mate Is getting 98$. HOURLY. on the internet.❞....two days ago new McLaren. F1 bought after earning 18,512$,,,this was my previous month's paycheck ,and-a little over, 17k$ Last month ..3-5 h/r of work a day ..with extra open doors & weekly. paychecks.. it's realy the easiest work I have ever Do.. I Joined This 7 months ago and now making over 87$, p/h.Learn. More right Here;|354➤➤➤➤➤ http://GlobalSuperEmploymentVacanciesReportsMedia/GetPaid/98$hourly.... .❦2:❦2:❦2:❦2:❦2:❦2:❦2:❦2:❦2:❦2:❦2:❦2:❦2:❦2:❦2:❦2:❦2:❦2:❦2:❦2:❦2:❦2:❦2:❦2:❦2:❦2:❦2:❦2::::;|354...

  3. Genex17 says:

    Just set your security settings for "unknown sources" to "off".

  4. BaldyPal says:

    "The MMS Messaging app uses administrator privileges"
    How can it gain admin privileges if the phone isn't rooted?

  5. Pic889 says:

    So, anyone with "untrusted sources" set to off (factory-default behaviour) will not even get to the permissions screen. This is presented as a bigger threat than it really is, but I guess firms that sell useless mobile AVs have to make money.

© 1998-2020 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.