{"id":82270,"date":"2016-03-02T10:14:16","date_gmt":"2016-03-02T04:44:16","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=82270"},"modified":"2016-03-26T17:01:14","modified_gmt":"2016-03-26T11:31:14","slug":"mazarbot-new-android-malware-steals-smss-and-wipes-phones","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/mazarbot-new-android-malware-steals-smss-and-wipes-phones\/","title":{"rendered":"MazarBOT: New Android Malware Steals SMSs and Wipes Phones"},"content":{"rendered":"

A new Android malware, known as MazarBOT<\/b>, has been discovered in-the-wild and this dangerous sample has the capability to hijack an unsuspecting user\u2019s smartphone. The malware gets into a victim\u2019s phone with an SMS as follows:<\/p>\n

You have received a multimedia message from +[xx] [xxxxxxxxxx]. Follow the link hxxp:\/\/www.mmsforyou[.]Net\/mms.apk to view the message.<\/span><\/center>When we tried to access this embedded link at our Quick Heal Threat Research Labs, an APK was downloaded into the vulnerable phone. When analyzed, the APK was found to be an interesting malware strain with extremely dangerous capabilities.<\/p>\n

The wordings of the SMS are such that the user will be naturally inclined to click on the link that is included. Once the link is clicked, the APK starts downloading automatically and when this APK is then installed, the user can see the name \u201cMMS Messaging\u201d<\/b> with an icon that is similar to the in-built Android SMS app.<\/p>\n

After launching \u201cMMS Messaging\u201d<\/b> a system prompt is shown as seen in Figure 2 below. This prompt allows the malware to get the privilege of a Device Admin. This privilege is the access right that is given by the Android OS to the malware in order to perform a factory reset of the device. To make the user believe that his permission is required to view the MMS, the malware shows the caption \u201cGet video codec access\u201d<\/b>. Interestingly, once this page has been opened the user cannot back out or close the prompt. Even if the \u2018Cancel\u2019 button or the \u2018Home\u2019 button or the \u2018Back\u2019 button is pressed, the same window will open immediately until the user clicks on \u2018Activate\u2019.<\/p>\n

\"Figure<\/a><\/center>After clicking on \u2018Activate\u2019 the app icon gets hidden and the malware starts operating in the background. If the user now feels that something is wrong and tries to uninstall the malware, the process is complicated because the malware has Device Admin privilege. So to do so the user has to first deactivate that privilege. Unfortunately, the malware also has a way to prevent users from deactivating the Device Admin privilege.<\/p>\n

Capabilities of MazarBOT to hide network traffic<\/span><\/p>\n

Another integral feature of MazarBOT is that it makes use of TOR and Polipo Proxy libraries to hide its network traffic from monitoring tools that are used by security researchers. Its Command & Control server is located at hxxp:\/\/pc35hiptpcwqezgs[.]onion<\/span> and is set up on the hidden web which is accessible only through the TOR network.<\/p>\n

Actions performed by MazarBOT in the background<\/span><\/p>\n

    \n
      \n
    1. All incoming SMSs are forwarded to the C&C server. We sent an SMS to our test device and this SMS was intercepted by the malware and forwarded to the C&C server. That SMS was not visible on the device.<\/li>\n<\/ol>\n<\/ol>\n

      \"Figure<\/a><\/center><\/p>\n
        \n
      1. MazarBOT can wipe all device data when it receives the \u201chard reset\u201d command from the C&C server.<\/li>\n
      2. It can send an SMS to any premium-rate number and this causes the user to get very high mobile usage bills.<\/li>\n
      3. The malware can monitor which app is currently being used. If the app is of interest to the malware, it will show an HTML page that is similar to the app. This technique of \u201cFake Overlay Pages\u201d can be used to steal user credentials of Gmail, Facebook or any mobile banking apps.<\/li>\n
      4. The malware can inject itself into Google Chrome and can modify HTML content on open webpages.<\/li>\n
      5. The malware can make calls to any number, reject incoming calls or enable call forwarding to numbers of its choice.<\/li>\n
      6. It can lock the phone when it receives a \u2018lock\u2019 command. The phone will then remain locked until it receives an \u2018unlock\u2019 command.<\/li>\n<\/ol>\n

        List of C&C commands to MazarBOT<\/span><\/p>\n

          \n
        • Intercept Start<\/li>\n
        • Intercept Stop<\/li>\n
        • Stop Numbers<\/li>\n
        • Unstop Numbers<\/li>\n
        • Unstop All Numbers<\/li>\n
        • Lock<\/li>\n
        • Unlock<\/li>\n
        • Send<\/li>\n
        • Forward Calls<\/li>\n
        • Stop Forward Calls<\/li>\n
        • Update HTML<\/li>\n
        • Hard Reset<\/li>\n
        • Call<\/li>\n
        • Sleep<\/li>\n
        • Wakeup<\/li>\n<\/ul>\n

          How to remove MazarBOT<\/span><\/p>\n

          This malware cannot be easily removed in the traditional way because of its ability to get Device Admin privileges. Moreover, it does not allow users to easily deactivate that privilege. In order to get rid of the malware, the user will need to reboot the device in Safe Mode and then deactivate the Device Admin privilege. Only once this has been done can the user uninstall this malware from the device.<\/p>\n

          Quick Heal detects this malware on Android smartphones as Android.Mazarbot.A<\/b>.<\/p>\n

          Acknowledgment<\/span><\/p>\n

          Subject Matter Experts:<\/p>\n

            \n
          • Sanket Temgire<\/li>\n
          • Gaurav Shinde<\/li>\n<\/ul>\n

            Quick Heal Threat Research & Response Team<\/p>\n","protected":false},"excerpt":{"rendered":"

            A new Android malware, known as MazarBOT, has been discovered in-the-wild and this dangerous sample has the capability to hijack an unsuspecting user\u2019s smartphone. The malware gets into a victim\u2019s phone with an SMS as follows: You have received a multimedia message from +[xx] [xxxxxxxxxx]. Follow the link hxxp:\/\/www.mmsforyou[.]Net\/mms.apk to view the message.When we tried […]<\/p>\n","protected":false},"author":8,"featured_media":82387,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[55,24],"tags":[431,380,1213,76],"class_list":["post-82270","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-android","category-malware","tag-android","tag-android-malware","tag-mazarbot","tag-sms"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/82270"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=82270"}],"version-history":[{"count":2,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/82270\/revisions"}],"predecessor-version":[{"id":82337,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/82270\/revisions\/82337"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/82387"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=82270"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=82270"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=82270"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}