At the end of last week, a large number of text messages were sent to a number of ‘phone numbers in Denmark and, according to the source of CSIS, “likely elsewhere.” This particular message read: “You have received a multimedia message from +[country code] [sender number] Follow the link http://www.mmsforyou[.]net/mms.apk to view the message” and the intention behind the SMS was to get the reader to install the file at the link. This link downloads a malicious APK, Android application, which looks close to the genuine item as you’ll see from the screenshot below. Unfortunately, the mms.apk application is not legitimate and will attempt to gain administration rights on the target device and provides it with a number of significant permissions, including the ability to send text messages. As an unusual quirk, the application checks where the device is being used and if it shows Russia, it will stop the installation. It’s not clear why this is the case.
Assuming the device isn’t being used by a Russian, the malware installs TOR, The Onion Router, which is a means of encrypting a person’s browser traffic by routing it through a series of random proxy servers distributed across the Internet. After installing TOR, the application send a single text message containing the words “Thank you” and the device location to a number in Iran. MazarBOT is a capable malware application. It is able to open up the device to allow for remote monitoring, allow changes to device configuration (including how the keys work) or send premium rate SMS messages (and so run up a hefty ‘phone bill). The code is capable of reading incoming and existing messages on the device; this means it could be used to read two-factor authentication codes used by online email and banking accounts. It also contains a remote debugging function, which could be used for a number of advanced attacks on whatever network(s) the device is being used on. CSIS’ notes that the malware appears designed to circumvent security systems put in place to keep customers online bank accounts safe.
CSIS have dubbed the application “MazarBOT” after the Mazar Android BOT that was seen available for sale towards the end of 2015, which was being sold on a number of Russian underground websites. Peter Kruse, author of the source website, said this on the malware: “Until now, MazarBOT has been advertised for sale on several websites on the Dark Web, but this is the first time we’ve seen this code to be deployed in active attacks… MazarBOT is pretty advanced and nasty Android malware.” The blog notes that only a small number of Android anti-virus applications recognize MazarBOT, just three applications out of fifty four tester. Given that, in CSIS’ opinion, the malware could circumvent the majority of online banking security systems, Android devices users everywhere must beware installing a strange application that arrives via a hyperlinked text message.