This Friday, a swarm of SMSs were sent to random phone numbers in Denmark and likely elsewhere. The content of the SMS had the purpose of luring the recipient into clicking the provided link, which would serve up a malicious APK.
The SMS in question arrives with the following content (sanitized by CSIS):
“You have received a multimedia message from +[country code] [sender number] Follow the link http://www.mmsforyou[.]net/mms.apk to view the message“.
If the APK (an application file for Android) is run on an Android-powered smartphone, it will gain administrator rights on the victim’s device.
This will allow the attackers to:
SEND_SMS
RECEIVE_BOOT_COMPLETED
INTERNET
SYSTEM_ALERT_WINDOW
WRITE_SMS
ACCESS_NETWORK_STATE
WAKE_LOCK
GET_TASKS
CALL_PHONE
RECEIVE_SMS
READ_PHONE_STATE
READ_SMS
ERASE_PHONE
CSIS has identified the malicious APK to be the Mazar Android BOT (and based on that named it MazarBOT), a threat that Recorded Future reported in November 2015 when being sold on Russian underground websites.
The malicious APK retrieves TOR and installs it on the victim’s phone via the following harmless URLs:
https://f-droid.org/repository/browse/?fdid=org.torproject.android
https://play.google.com/store/apps/details?id=org.torproject.android
In the next phase of the attack, the infection will unpack and run the TOR application, which will then be used to connect to the following server: http://pc35hiptpcwqezgs[.]onion.
After that, an automated SMS will be sent to the number 9876543210 (+98 is the country code for Iran) with the text message: “Thank you”. The catch is that this SMS also includes the device’s location data.
This specific mobile malware opens the door to a variety of hostile attacks targeting the victim. Amongst many things, the attackers can:
– Open a backdoor into Android smartphones, to monitor and control them as they please
– Send SMS messages to premium-rate numbers, seriously increasing the victim’s phone bill
– Read SMS messages, which means they can also read authentication codes sent as part of two-factor authentication mechanisms, frequently used a.o. by online banking apps and e-commerce websites
– Use their full access to Android phones to basically manipulate the device to do whatever they want
Polipo proxy and Man-in-the-Middle Attack
The attackers behind MazarBOT also implemented the “Polipo proxy“, which gives them additional access to even more Android functionalities.
Through this proxy, cyber criminals can change the traffic and interpose themselves between the victim’s phone and a web-based service. This effectively becomes a Man-in-the-Middle attack.
The files are dropped to the victim’s phone disguised as mp3 files:
122.933 polipo.mp3
1,885,100 tor.mp3
Then, the proxy is configured as one can see below:
174.398 debiancacerts.bks
574 torpolipo.conf
879 torpolipo_old.conf
212 torrc
276 torrc_old
For those technically inclined, the configuration of the TOR proxy will seem quite straightforward:
proxy address = “127.0.0.1”
proxy port = 8118
allowedClients = 127.0.0.1
allowedPorts = 1-65535
proxy name = “127.0.0.1”
cacheIsShared = false
socksParentProxy = “127.0.0.1:9050”
socksProxyType = socks5
diskCacheRoot = “”
localDocumentRoot = “”
disableLocalInterface = true
disableConfiguration = true
dnsUseGethostbyname = yes
disableVia = true
from, accept-language, x-pad link
censor referer = maybe
maxConnectionAge = 5m
maxConnectionRequests = 120
serverMaxSlots = 8
server slots = 2
tunnelAllowedPorts = 1-65535
chunkHighMark = 11000000
object high mark = 128
Chrome injects
As if it wasn’t enough that it can stop calls and launch other aggressive commands on the victim’s phone, MazarBOT is also capable of injecting itself into Chrome.
And there are several other settings and commands that MazarBOT can trigger, as showcased below. These include:
– Controlling the phone’s keys
– Enabling the sleep mode
– Saving actions in the phone’s settings, etc.
MazarBOT won’t run on Russian Android smartphones
CSIS was not surprised to observe that the malware cannot be installed on smartphones configured with Russian language settings. MazarBOT will check the phone to identify the victim’s country and it will stop the malicious APK, if the targeted phone turns out to be owned by a user in Russia:
locale.getCountry ()
equalsIgnoreCase ( “RU”))
Process.killProcess (Process.myPid ());
Until now, MazarBOT has been advertised for sale on several websites on the Dark Web, but this is the first time we’ve seen this code to be deployed in active attacks.
Remote debugging
Another interesting thing about MazarBOT is the fact that it also implements a remote debugger. This allows the infected device to be used as a jumpstation over TCP/IP or on the same WiFi network. This functionality opens up for a variety of advanced attacks on the network. This goes for TCP/IP, WIFI and connection to host over USB.
Generally enabling ADB daemon on phone allows a computer to debug the phone over connected USB cable or predefined (on phone) tcp port.
Also, Android has a security setting that allows to permit/deny ADB access from a connected computer unless explicitly allowed and it denies so by default on android versions 4.2.2 and later (with few exceptions for a few phones).
Conclusion
MazarBOT is pretty advanced and nasty Android malware. Several factors indicate that it was designed as malware primarily targeting online banking customers. In fact, it will most likely succed in circumventing most online banking protection solutions.
Antivirus detection at the time of distribution of the APK was low (3/54):
https://www.virustotal.com/en/file/73c9bf90cb8573db9139d028fa4872e93a528284c02616457749d40878af8cf8/analysis/