Latest Android Malware with Rooting Abilities Can Wipe Your Data

If you think you have seen it all then you are wrong — Here comes a malware that will make your phone into a crappy box.

Mazar Bot boasts of so many hidden capabilities that security experts have dubbed it as such a strong malware that can transform your phone into a trash box. It is loaded with rooting abilities and can easily delete all traces of data in your phone’s storage. The malware was discovered by Heimdal Security while inspecting an SMS message sent to random numbers and locations.

A Truly Twisted Malware Campaign:

The malware Mazar Bot, as per Heimdal Security staff, is involved in active attacks. The campaign takes place in a unique way because it directly sends SMS/MMS messages to users. These messages contain the Android app file APK, which has the infected link. When the link is clicked upon by the user, this malicious APK file gets automatically downloaded. When users run the program they are asked to install another app that seems quite harmless probably due to its simplistic name MMS Messaging. The app also requests for admin privileges. The reason why so many users are falling prey to this new malware is that they generally do not suspect anything fishy due to the misleading name. As evident, this modus operandi is somewhat different from the way Android threats are spread usually since other Android scams involve being installed by users via third-party app stores.

The Extensiveness of Mazar Bot:

It has been mentioned above that Mazar is capable of rooting and therefore, when it manages to gain root access the malware can perform a variety of diverse functions like gaining boot persistence, which helps it in surviving even after the device restarts. Moreover, it can send and receive SMS messages. It also is capable of making calls to the contacts, infect Google Chrome, observe the state of the phone and even control it by attempting to plague phone’s control keys and change settings on your phone. That is not all by any means since Mazar Bot can enable sleep mode on your phone, access the web and alter network status too.

latest-android-malware-with-rooting-abilities-can-wipe-your-precious-data-side

It also can download TOR android app on your device and install it too, without your consent or permission obviously. Heimdal Security experts explained that the malware installs this app using these links:

https: //f-droid.org/repository/browse/?fdid=org.torproject.android
https: //play.google.com/store/apps/details?id=org.torproject.android

When installed, the malware attempts to connect to this server:

http: // pc35hiptpcwqezgs [.] Onion.

With this capability, Mazar can surf the web with full anonymity through the TOR network. After installing Tor app, the malware surprisingly sends a message to an Iranian number 9876543210 (here 98 is the calling code of Iran). The message reads “Thank You.” This message contains the location of the

device and plays the role of a beacon because it informs the instigator of the attack when the malware has penetrated into a new device.

Heimdal Security identified another aspect related to this malware, which is that it sometimes installs Polipo proxy, which is an Android app. This app basically adds a proxy on the device and lets the owner of the malware spy upon the Internet traffic and initiate Man-in-the-Middle (MiTM) attacks. Polipo HTTP proxy is brought to Android through Polipoid and it helps in doing various useful stuff like creating web links cache to access them offline and increasing the browsing speed. However, if used by cyber-criminals, the proxy can modify the traffic and intervene between the targeted phone and any sort of internet service. This is how the attackers can transpire MiTM attacks.

There is more …..the scariest part we left for the end!

Mazar Bot can easily and completely wipe the storage section on your device. This is dangerous isn’t it?

Who is Behind this Insane Malware Campaign?

Russia probably!

Yes, you read it right. Mazar Bot is being distributed by a Russia-based group of cyber-criminals.

The clue that led to this assumption about the real location of the attacker is that there is an unwritten law in Russia that states if Russians remain unaffected by any cyber campaign, Russian officials won’t chase the perpetrators of the campaign. Of course, the campaign hasn’t affected anyone in Russia. Also, the source code of this malware contains some specifications on how to halt the installation procedure if the phone uses the Russian language.

Recorded Future identified this malware firstly in 2015 while it was being sold in the underground malware marketplace the Dark web. However, in a malware campaign, this has been identified for the very first time by Heimdal Security. The security team at Heimdal Security was analyzing an SMS message that was sent to mobile phone numbers randomly. It is currently unclear how far and in how many regions this message was sent.

The content of the deceptive SMS message is as follows:

“You have received a multimedia message from +[country code] [sender number] Follow the link http: //www.mmsforyou [.] Net / mms.apk to view the message.”

Attackers can actually do whatever they want to once this crazy new malware Mazar Bot gets installed and performs all of its functionalities. In android phones, it can create a backdoor so that the attackers can monitor and control the phone as per their wishes. It can also send text messages to premium channel numbers, which obviously would lead to an unannounced increment in the victim’s mobile phone bill. The malware can also read your incoming text messages. This means it can access the authentication codes that are sent during the two-factor authentication process. This kind of authentication is normally utilized by e-commerce websites and banking applications.

 

Protection from Mazar Bot..Possible:

It is a known fact that APK has very low antivirus detection rate, VirusTotal suggests it is 3/54.

So how can you prevent this hideous malware from affecting your phone?

Well, just follow these guidelines and you can do well.

* Do not click on a link that is sent via an SMS or MMS message on your smartphone because generally, Android phones are quite vulnerable and latest Android oriented security products aren’t much effective on these devices.

* Turn off this option: Settings> Security> “Unknown Sources – Allow installation of apps from sources other than the play store.”

* Try to install the most reliable Android antivirus, go for the top-rated ones.

* Avoid connecting to unsecured or unknown Wi-Fi hotspots because it is highly dangerous. Moreover, keep your personal Wi-Fi turned off while not in use.

* Installing a VPN on your phone would be a good idea bot for the phone’s security and your privacy.

* Lastly, be cautious.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.