A malware program for Android seen advertised on Russian underground forums in the last few months appears to have made its first big debut. MazarBOT can take full control of a phone and appears to be targeting online banking customers, wrote Peter Kruse, an IT security expert and founder of CSIS Security Group, based in Copenhagen, which does deep investigations into online crime for financial services companies.
“Until now, MazarBOT has been advertised for sale on several websites on the Dark Web, but this is the first time we’ve seen this code to be deployed in active attacks,” Kruse wrote. CSIS saw a “swarm” of SMSes sent to random phone number in Denmark on Friday,” Kruse wrote. The messages contained a link to an Android package file, which is MazarBOT. MazarBOT will stop installing itself if it detects an Android device that is running within Russia, perhaps to avoid drawing attention from the country’s authorities.
“CSIS was not surprised to observe that the malware cannot be installed on smartphones located in Russia,” Kruse wrote. If phones pass the location test, MazarBOT installs Tor, short for The Onion Router. Tor is a network of distributed nodes that provide greater privacy by encrypting a person’s browsing traffic and routing that traffic through random proxy servers. The malware then sends an SMS saying “Thank you” along with the device’s location to a phone number with Iran’s country code. MazarBOT can exert a lot of control over a phone. It can open up a backdoor to monitor a device, send SMSes to premium rate numbers and read two-factor authentication codes send by SMS.
The malware also has a remote debugging function, which Kruse wrote allows “for a variety of advanced attacks on the network” that a particular Android device uses. “MazarBOT is pretty advanced and nasty Android malware,” Kruse wrote. “Several factors indicate that it was designed as malware primarily targeting online banking customers. In fact, it will most likely succeed in circumventing most online banking protection solutions.”