A new bit of malware lets hackers gain administrator access to Android devices using only text messages. The malware, dubbed Mazar BOT, was discovered in the wild by Dutch digital security firm Heimdal Security. Mazar BOT allows an attacker to make, send, and receive SMS messages from the compromised device, make phone calls, access the Internet, and even erase the device completely, according to a blog post by the company.
The attack works by sending a text message informing the user that he has received a multimedia message and instructing him to click on a link to download it. When a user clicks on the link, a malicious APK (Android application package file) is downloaded instead, which in turn retrieves Tor, a legitimate Android app, and installs it on the device. Once the Tor app is installed, the malware can surf the Internet anonymously via the Tor network. It can then send the data and other communications it steals over the anonymous network.
Complete Remote Control
The hack opens users up to a veritable Pandora’s box of malicious behavior. Among other things, Mazar BOT lets an attacker open a backdoor to a device, as well as monitor, and control the device remotely. The hacker can also force the device to send premium SMS texts to run up a user’s phone bill. By reading SMS texts, the hackers can read identification codes sent as part of two-factor authentication mechanisms.
That capability already gives the hackers a massive amount of control. But the Mazar BOT is only part of the attack. The hackers also set up a Polipo proxy, which criminals can use to impose man-in-the-middle attacks between victims' phones and Web services, and can stop phone calls and launch other aggressive commands.
The malware is also able to inject itself into the Chrome server, compounding the damage. And it can give the attacker control of a device's buttons, enable a phone’s sleep mode, and save actions in the phone’s settings.
A Russian Connection
Heimdal said Mazar BOT is currently being sold on the Dark Web, and is already being used in active attacks. So far, Heimdal said it has not been able to determine the country of origin for the APK. However, the malware cannot be installed on Android devices running with the Russian language option, as Mazar shuts off if the device appears to be owned by a Russian user.
“Attackers may be testing this new type of Android malware to see how they can improve their tactics and reach their final goals, which probably is making more money (as always),” Andra Zaharia, a security specialist at Heimdal, wrote on the company blog. “We can expect this malware to expand its reach, also because of its ability to remain covert by using Tor to hide its communication.”
Users with Android phones are urged not to click on links in SMS messages, as they are particularly vulnerable to attacks through that vector. Android users should also change their security settings to prevent apps from sources other than the Google Play store from being installed.
Image Credit: Screenshots via Heimdal Security.