News
News Categories

New Android malware can steal and wipe smartphone contents

By Liu Hongzuo - on 17 Feb 2016, 12:29pm

New Android malware can steal and wipe smartphone contents

Heimdal announced their findings on Mazar Bot malware via their website. Image credit: Heimdal

Android OS smartphone users have it tough. A new malware that affects Android OS smartphones has been spotted by Danish security firm Heimdal, and the firm confirmed that malware Mazar Bot is capable of allowing attackers to control a user’s Android phone and access the device’s services and information at will.

Android malware, Mazar Bot, starts as a MMS message that contains a link to a malicious .apk file (an Android file format for mobile applications). So far, 100,000 phones in Denmark received the malicious message. Heimdal stated that they are unclear on the geographical reach of this attack.

According to Heimdal, the MMS looks like this:

You have received a multimedia message from +[country code] [sender number] Follow the link http: //www.mmsforyou [.] Net / mms.apk to view the message.

An example of the .apk installation that would start the malware attack. Here, you can see the permissions granted to the .apk file upon installation. Image credit: Heimdal

Opening the .apk file will allow attackers to gain administrator rights on the affected device. These rights will enable the attacker to wake the phone from a locked state, access the Internet, read and send SMS, and even erase phone data.

Once the attackers have control of the affected device, the malicious .apk file will proceed to install harmless Tor (The Onion Router) software. This software enables users to use the Internet with anonymity. An example of such software (which Mazar Bot uses) would be Orbot, which is publicly available on the official Google Play app store. Once the Tor proxy is on the victim’s phone, it will connect to a malicious server via the Onion route.

The affected phone will then send a text message saying “Thank you”, together with the phone’s location data, to a number based in Iran.

From here, attackers can:

  • Monitor and control the smartphone freely (including stopping phone calls)
  • Send SMS messages to premium channel numbers to increase phone bill
  • Read SMS messages, including authentication codes required for accounts protected via two-factor authentication
  • Do whatever they want.

Mazar Bot malware also uses the Polipo proxy, which enables man-in-the-middle attacks. MITM attacks sees the attacker sitting in between two communicating parties, and the attacker will relay communication to both parties, while said parties are under the impression that they are directly talking to each other. The data for MITM attacks is copied to the affected phone via malicious MP3 files. The MP3 file format exploit is similar to Stagefright 2.0’s modus operandi. Mazar Bot can also inject itself into Chrome, as shown below.

Mazar Bot conducting a Chrome injection. Image credit: Heimdal

A list of exploits the Mazar Bot malware can access after successful injection. Image credit: Heimdal

According to Heimdal, the Mazar Bot malware is specially programmed to avoid attacking smartphones using Russian as a default language. The malware is also available for sale on the Dark Web. The security company ran tests on the malware using Android 4.4 (KitKat) OS, but the Chief Executive of Heimdal, Morten Kjaersgaard, told BBC that the malware is likely to affect all prior Android OS versions.

Listed below are some preventive steps you can take to avoid Mazar Bot, as recommended by Heimdal.

Protecting your Android phone from Mazar Bot:

  • Never click on links in SMS or MMS messages on your phone.
  • Go to Settings > Security and turn the following option off: “Allow installation of apps from sources other than the Play Store.” (This setting is disabled by default, but it’s worth a check).
  • Do not connect to unknown and unsecured Wi-Fi hotspots (We have also discussed this particular vulnerability on the iOS platform in this article here).
  • Install a VPN on your smartphone and use it constantly when surfing any links.
  • Install a good antivirus for Android OS.

Source: Heimdal via BBC

Join HWZ's Telegram channel here and catch all the latest tech news!
Our articles may contain affiliate links. If you buy through these links, we may earn a small commission.