The Android data stealer, which we dubbed “MazarBOT” based on text in the binary APK code, is active again.
It’s spammed out via SMSs with the following content (sanitized by of CSIS):
“Du har modtaget en MMS-besked fra +45430444292. Følg linket http://mmsservice[.]pw/apk for at få vist beskeden”
English translation:
“You have received a multimedia message at +45430444292. Follow the link http://mmsservice[.]pw/apk to view the message.”
It’s worth mentioning that the message is written in perfect Danish.
If the code is executed, it will call back home to a C&C server on (sanitized by CSIS) http://37.1.205[.]193/?action=command.
The server is hosted in the United Kingdom at 3nt Solutions Llp
The data that is sent to the C&C server includes a. o. {“type”:”install”,”country”:”DK”,”imei”:”%”,”model”:”%”,”apps”:[“exts.denmark”],”operator”:”%”,”sms”:[%],”os”:”4.2.1″,”install id”:”1″}
MazarBOT does overlaying tricks on several applications installed on the infected Android. Below is shown a MiTM phishing attack when using Danske Bank:
Besides from that it’s identical to the write up we posted here:
https://www.csis.dk/en/csis/news/4819/
At the time of distribution MazarBOT had zero AV detection, but that seems to improve slightly (11/53):
https://www.virustotal.com/en/file/124675ce63027ceea0a52bf89a813ad2a6b0cc3e6ca55329831d0099af2307d9/analysis/