Mazar BOT graduates into the wild; capable of overtaking Android devices

Bazar BOT is now “right up at the top” of the list of the most dangerous Android APKs in the wild, warns Heimdal Security CEO Morten Kjaersgaard.
Bazar BOT is now “right up at the top” of the list of the most dangerous Android APKs in the wild, warns Heimdal Security CEO Morten Kjaersgaard.

Mazar BOT, an Android-based malware program that grants hackers full control of a victim's device, including the ability to erase files and control calls and text messages, has just been observed in the wild for the first time.

Researchers at Denmark-based Heimdal Security reported this worrisome discovery in a corporate blog post over the weekend. Morten Kjaersgaard, CEO of Heimdal, told SCMagazine.com that this development firmly places Mazar BOT “right up at the top” of the list of the most dangerous active Android malware programs, due to its complexity of design, as well as “the fact that it can cost you a lot of money, not only in terms of extra charges to your phone bill but also indirect damages due to intercepted personal credentials.”

Heimdal's telemetry is confined to Denmark's borders, so it remains unclear if Mazar BOT is active on a global basis. Based on activity observed in Denmark, however, the malicious Android application package (APK) is spreading via SMS or MMS messages that attempt to trick recipients into clicking on a link. Savvier device owners may sniff out this ruse, but the cybercriminals' social engineering tactics will likely evolve to compensate. “The next logical step for this malware would be spoofing” messages from credible banks,” Kjaersgaard remarked.

Of course, clicking on the link triggers a download of the malware, which grants the bad actors administrative rights to the affected device. From there, the culprits can read or send messages, access the Internet, make calls or even wipe a device's storage. As a second phase of attack, Mazar BOT also connects to a server via the anonymous Tor network and exploits the hijacked SMS capabilities to export the device's location data.

Money, as usual, is the suspected motive. For instance, control of SMS allows hackers to send messages to their own premium channel numbers, as well as read two-factor authentication codes that banks and retailers use to confirm a customer's identity. Kjaersgaard suspects hackers will eventually add a ransomware component as well.

But the malware's hazards don't stop there. Mazar BOT can also place a proxy on the device that lets attackers secretly intercept phone traffic and manipulate communications via a Man-in-the-Middle attack. This could allow hackers to interfere with mobile banking transactions—intercepting genuine communications from a customer's bank and replacing them with fraudulent requests for sensitive personal information.

Mazar BOT's other capabilities include injecting itself into the Chrome browser, controlling a phone's keys and enabling a device's sleep mode.

Heimdal identified one subset of devices that appear to be immune to this online scourge: “Our team was not surprised to observe that the malware cannot be installed on smartphones running Android with the Russian language option,” stated Heimdal in its blog post. “Mazar BOT will check the phone to identify the victim's country and this will stop the malicious APK if the targeted phone turns out to be owned by a Russian user.” A prevailing theory behind this quirk is that Russian coders are responsible for the malware, and were careful not to victimize Russian device-owners.

Mazar BOT was initially exposed in November 2015 by threat intelligence provider Recorded Future, but at the time it was only observed for sale on the black market, not in the wild. In its blog post, Heimdal recommends, among other measures, never clicking links in text messages; disallowing downloads from unknown sources like third-party app stores; and installing a top anti-virus program. With that said, only three out 54 anti-virus programs utilized by Google's free file scanning service VirusTotal detected the malware when it was analyzed on Feb. 2, 2016.

Fortunately, "most devices have the 'Unknown Sources' functionality disabled by default," said Joshua J. Drake, VP of Research at mobile security company Zimperium. "Because of this fact, users won't even be able to install Mazar after opening the SMS/MMS link without turning this setting off."

Update: IBM has reported that its X-Force threat intelligence team has discovered that the source code for GM Bot, the malware on which Mazar Bot was built, has been leaked. This could lead to many more attacks, said IBM, because cybercriminals who once had to buy GM Bot from the black market can now use it for free.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS