PINDROP BLOG

MazarBOT Android Malware Spreads Via SMS

As phones have become more and more vital to users’ lives, attackers and fraudsters have focused a larger portion of their attention on those devices. One of the key methods of attack is delivering malware through texts or MMS messages and researchers have discovered a new malicious SMS campaign that is infecting Android phones and can steal many kinds of sensitive data and run a wide range of operations on compromised devices.

The malware that’s delivered in the SMS is known as MazarBOT and it has been affecting Android users in a variety of countries, especially in Scandinavia and Europe. In order to be infected, a user has to click on a link that arrives in an unsolicited text from an unknown number. Once the victim clicks on the link, she is then presented with an app that’s installed and immediately gets administrative rights on the infected device. Marabout then has the ability to take a wide variety of actions on the device, including sending texts, receiving texts, getting detailed device information, and even erasing the phone, according to an analysis by researchers at CSIS in Denmark.

The malware also will install the Tor anonymity client and uses it to connect to a remote server and then sends an automated text to a number in Iran. The message is harmless, but it also transmits the device’s location. The malware’s ability to read incoming SMS messages is not just a threat to privacy, but also to a user’s security, thanks to the way that banks and other companies use SMS as a method of authentication.

MazarBOT has been for sale on the underground for some time, and CSIS researchers said that the malware won’t infect Russian-language Android devices.

“CSIS was not surprised to observe that the malware cannot be installed on smartphones configured with Russian language settings. MazarBOT will check the phone to identify the victim’s country and it will stop the malicious APK, if the targeted phone turns out to be owned by a user in Russia,” the CSIS analysis says.

Attackers prize Android malware, mainly because Android is the most widely used mobile operating system. But also because the update mechanism for Android typically is controlled by carriers and users often don’t have the opportunity to update their devices.

Webinar: TACKLING THE 113% FRAUD INCREASE IN CALL CENTERS