Monday, February 22, 2016

Recent MazarBot targeting the MobilePay can lock and erase your device

Based on data by Danske Bank in 2015, MobilePay was the 3rd most frequently used application in Denmark after Facebook and Facebook messenger with more than 2.7 million people using it regularly. 

  MobilePay by Danske Bank
Not long after the MazarBot was discovered by Heimdal Security, a new version is targeting Danish people again. Peter Kruse form the CSIS Security Group already has warned the users about this new wave of the MazarBot in his latest blog. But let’s take a look bit deeper.
The spreading scenario is the same. The user gets a text message claiming he received an MMS. Received text message also contains a URL link where the multimedia message can be viewed. 

Malicious SMS received from unknown contact
Figure 1 Received SMS pointing to MazarBot
Text message translated to English: “You have received an MMS from +45XXXXXXXX. Follow the link to view the message.” Clicking on the link will lead to downloading and requesting to install the MazarBot, as a “MMS Messaging” application.
After start, the MazarBot will send the device information to the remote server such as device model, operator code, country, IMEI, all received text messages stored on the device and package names of the installed applications.

MazarBOT sending personal data to C&C
Figure 2 Communication between MazarBot and the server

The MazarBot will contact the server expecting to execute the commands received from the C&C.
MazarBot can perform these commands:

  • Send text messages
  • Intercept received text messages
  • Stop intercepting received text messages
  • Lock device
  • Unlock device 
  • Wipe data

The attacker can remotely lock the user device. The locking screen makes the user believe the system is updating. The user is automatically locked out of his device even after restarting the device. The device can be unlocked by the attacker or by entering the Safe mode.

Android Lockscreen
Figure 3 MazarBot lock screen

Phishing of MobilePay

Besides waiting for commands, the MazarBot will observe and wait for the MobilePay application to execute. If the MobilePay is launched, then the malicious code will create overlaying activity in the foreground, requesting the user to fill in personal information.

Fake MobilePay activity
Figure 4 Fake MobilePay activity

After filling in the Social Security number, mobile number and password, the MazarBot will ask to take a picture of the users NemID code card, which is a list of one-time passwords when the user logs on.
The malicious code can intercept incoming text messages and bypass the two-factor authentication by sending them to the attacker server.  

C&C server fail or when the security matters

The command and control server serves for gathering the data and naturally for controlling the bots. The MazarBot author didn’t focus on the securing it very much. The C&C was easily accessible by web interface for more than 12 hours without any protection :).

MazarBot infected devices
Figure 5 The MazarBot C&C server

Most of the compromised devices were from Denmark.

Number of infected Android devices
Figure 6 Early C&C statistics translated by Google

More information

Server providing the MazarBot was registered on February 16, 2016.
The C&C server with already implemented login page:
VirusTotal detection rate here.

1 comment: