Malware that can root your device and delete everything

In the security news this week, there has been a new form of malware named “Mazar BOT” which has the ability to “root” your Android device and erase everything on the handset. The malware was discovered by Heimdal Security and was released this week in a blog. The blog highlights their investigation into text messages which were sent to random mobile numbers with unknown geographical reach. Here is an example message.

You have received a multimedia message from +[country code] [sender number] Follow the link http: //www.mmsforyou [.] Net / mms.apk to view the message.

Once you have clicked the link and downloaded the application, you must have the ability to ‘install applications from unknown sources’ selected. If you are unfortunate to have this option selected and clicked on the link, then the application will install and gain administrator rights on the handset.

A list of activities possible by Mazar BOT are:

  • Gain boot persistence to help survive device restarts
  • Send and Read your SMS messages
  • Make Calls to your contacts
  • Read the phone’s state
  • Plague phone’s control keys
  • Infect your Chrome browser
  • Change phone settings
  • Force the phone into sleep mode
  • Query the network status
  • Access the Internet
  • Wipe your device’s storage

Which is all done through:

  • SEND_SMS
  • RECEIVE_BOOT_COMPLETED
  • INTERNET
  • SYSTEM_ALERT_WINDOW
  • WRITE_SMS
  • ACCESS_NETWORK_STATE
  • WAKE_LOCK
  • GET_TASKS
  • CALL_PHONE
  • RECEIVE_SMS
  • READ_PHONE_STATE
  • READ_SMS
  • ERASE_PHONE
Malware that can root your device and delete everything

MMS Messaging application screenshot from Hemidal.

It doesn’t end there! As part of the malware package, you also get a TOR browser installed however the user is left unaware of the installation. The reason is that the malware can use the TOR network to send the traffic from the device over the anonymity network. The Mazar BOT is also known for sending a “Thank you” message to an Iranian phone number (9876543210), along with the device’s location.

It gets worse! Mazar BOT also installs an Android app called ‘Polipo Proxy’ that establishes a proxy connection on the device, allowing the developer of the malware to view the web traffic from the infected device or even manipulate the traffic and carry out a number of Man-in-the-Middle (MitM) attacks.

Polipoid brings the Polipo HTTP proxy to Android. Polipo lets you do useful things such as cache web pages for offline access and should generally speed up browsing a little.

One interesting “feature” of the application is that it cannot be installed on handsets have been configured in Russian. Until now, Mazar BOT for Android has been advertised for sale on several Russian underground (Dark Web) forums, but this is the first time this code has been utilised in active attacks.