Android Malware Which Delete and Erase Everything

Android users are being warned about a new strain of malware called Mazar Bot that is hitting smartphones, giving attackers full administrative rights to monitor and control nearly every aspect of the phone.

This Android malware has been making waves recently that have the capability to gain root access on your smartphone and completely erase your phone's storage.

Mazar BOT, the serious malware program is loaded with so many hidden capabilities that security researchers are calling it a dangerous malware that can turn your smartphone into a zombie inside hacker's botnet.

Mazar BOT was discovered by Heimdal Security while the researchers at the firm were analyzing an SMS message sent to random mobile numbers and locations.

Heimdal Security Team has recently analyzed a text message sent to random mobile numbers. The Geographical extent is so far unknown, so please exercise caution.

The SMS / MMS in question arrives with the following contents (sanitized by Heimdal Security):

You have received a multimedia message from +[country code] [sender number] Follow the link http: //www.mmsforyou [.] Net / mms.apk to view the message.

This new Android app has a generic name, MMS Messaging, that asks for admin level privileges. Most of the users end up giving the root access to the malicious app due to its common name.

Team has identified the malicious APK to be the Mazar Android BOT, a threat also that Recorded Future spotted in November 2015.

The malicious packet (APK) retrieves TOR and installs it on the victim’s phone via the following harmless URLs:

https: //f-droid.org/repository/browse/?fdid=org.torproject.android

https: //play.google.com/store/apps/details?id=org.torproject.android

In the next phase of the attack, the infection will unpack and run the TOR application, which will then be used to connect to the following server: http: // pc35hiptpcwqezgs [.] Onion.

After that, an automated SMS will be sent to the number 9876543210 (+98 is the country code for Iran) with the text message: “Thank you”. The catch is that this SMS also includes the device’s location data.

How Mazar BOT Works

Despite other Android malware that distributes itself by tricking users into installing an app from third-party app stores, Mazar spreads via a spam SMS or MMS messages that carry a link to a malicious APK (Android app file).

Once the user clicks the given link, he/she'll be ending up downloading the APK file on their Android devices, which when run, prompts the user to install a new application.

According to Andra Zaharia, security specialist at Heimdal Security, this could lead to Man-in-the-Middle (MITM) attacks which are often used to steal sensitive details such as email account logins, social media credentials and banking information.

What does Mazar BOT do

Once gaining root access on the victim's device, Mazar BOT 

This will allow the attackers to:

• Gain boot persistence to help survive device restarts

• Send and Read your SMS messages

• Make Calls to your contacts

• Read the phone's state

• Plague phone's control keys

• Infect your Chrome browser

• Change phone settings

• Force the phone into sleep mode

• Query the network status

• Access the Internet

• Wipe your device's storage (the most critical capabilities of all)

Mazar BOT Browses Internet Anonymously Using TOR

Besides these tasks, Mazar BOT can also download a legitimate TOR (The Onion Router) Android app on your smartphone and install it too, even without your consent or permission.

Using TOR app, the malware would be able to surf the Internet anonymously via the Tor network.

Once the malware installs TOR on victim's phone, Mazar BOT sends a "Thank you" message to anIranian phone number (9876543210), along with the device's location.

In some instances, Mazar BOT also installs an Android app called Polipo Proxy that establishes a proxy on the device, allowing the malware's author to spy on victim's Web traffic and carry out Man-in-the-Middle (MitM) attacks.

Who is Behind This Awful Malware?

Mazar BOT is believed to be distributed by a Russia-based group of cyber-criminals.

One clue to this assumption is: Mazar BOT cannot be installed on Android smartphones in Russia, as its source code includes instructions on how to stop the malware installation process on phone configured with the Russian language.

Another clue is: There is an unwritten law in Russia that says "if cyber criminals don't go after Russians, Russian authorities will not go after them." Moreover, there is no such indication yet that this Mazar BOT campaign has affected anyone in Russia.

Until now, Mazar BOT for Android has been advertised for sale on several Russian underground (Dark Web) forums, but this is the first time this creepy code has been abused in active attacks.

How to Protect Yourself from Mazar BOT

There are standard protection measures you need to follow to remain unaffected:

1. NEVER click on links in SMS or MMS messages sent to your phone.
2. Go to Settings → Security → Turn OFF "Allow installation of apps from sources other than the Play Store" option.
3. Always keep an up-to-date Anti-virus app on your Android devices.
4. Avoid unknown and unsecured Wi-Fi hotspots and Keep your Wi-Fi turned OFF when not in use.