Wednesday, February 24, 2016

Android MazarBot stealing credit card information in Italy with certified issued by Putin

It looks like the MazarBot is a very persistent botnet focusing on selected countries. The last time it was Denmark, now it is reaching into the pockets of Italian people. The MazarBot is trying to lure detail credit card information on behalf of WhatsApp application and send them to the remote server. 


credit cards

The MazarBot is spreading by a URL link to a fake “Browser Chrome” application. The scam web page is very similar to the official Google Play Store one. An unexperienced user will not notice any difference between Google Play and this fake web page, except the address bar. The Web page text is written in Italian, including the fake user comments.

phishing web page
Figure 1 Scam web page

The infection vector is bit different as it was in its earlier versions, but the malicious functionality and C&C server communication stayed the same.


After loading this scam web page, the MazarBot will be automatically downloaded. This time it pretends to be “GooglePlay Update”.

Manual installation request
Figure 2 Install request

As it was in the earlier versions, firstly it will contact the remote server with the device and personal information, then waits for a particular application till it gets executed. In this case, the MazarBot will stay in the background until the WhatsApp app is launched. If WhatsApp is executed then the MazarBot overlays the original activity and get itself to the foreground. Phishing activity requests the user to verify the credit card information and sends them to the attacker server. 

Scam activity requires to fills in credit card information
Figure 3 MazarBot requesting credit card data

Client server communication
Figure 4 Credit card data sent to the server
Backdoor functionality is implemented as well. The MazarBot can perform these actions on the infected device:

  • Intercept received text messages
  • Stop intercepting received text messages
  • Lock device
  • Unlock device
  • Wipe data

By remotely locking the device, the user will lose the control over it and can’t perform any actions. The device will be locked until the attacker unlocks it or by entering the Safe mode. The lock screen pretends to be an Android system update with the text written only in Italian.
Original text: “Aggiornamento del sistema in corso. Attendere prego…”
Translated to English: “Upgrading the current system. Please wait…”

Lock screen
Figure 5 Fake lock screen

Based on the data found on the malicious server, the scam webpage can masquerade itself as many other applications with the different language variations, not only “Browser Chrome”. All of these fake web pages have a look and feel of the official Google Play Store application.
Scam web pages with language mutation:

  • Viber PRO+ (Russian)
  • Chrome Browser (Russian)
  • Viber PRO+ (English)
  • Android 6.2 Beta (English)
  • Chrome-Browser (German)
  • Browser Chrome (Italian)
  • Chrome 浏览 (Chinese)
  • Android 6.2 Beta (Spanish)
  • Android 6.2 Beta (Thai)
  • Android 6.2 Beta (Portuguese)
  • Android 6.2 Beta (Turkish)
  • Android 6.2 Beta (Vietnamese)

In the future MazarBot can obtain even more potential bots from these specific world regions and expand its botnet.  

More information

This time MazarBot isn’t created by some malicious developer but based on certificate, it’s issued by Vladimir Putin himself. The developer misused his name to sign the certificate of this Italian version of the MazarBot.

Android malware with certificate signed by Vladimir Putin
Figure 6 Certificate issued by Vladimir Putin

C&C server
VirusTotal samples:

If you are interested you can download MazarBot samples from Koodous Project for free:

Monday, February 22, 2016

Recent MazarBot targeting the MobilePay can lock and erase your device

Based on data by Danske Bank in 2015, MobilePay was the 3rd most frequently used application in Denmark after Facebook and Facebook messenger with more than 2.7 million people using it regularly. 

  MobilePay by Danske Bank
Not long after the MazarBot was discovered by Heimdal Security, a new version is targeting Danish people again. Peter Kruse form the CSIS Security Group already has warned the users about this new wave of the MazarBot in his latest blog. But let’s take a look bit deeper.
The spreading scenario is the same. The user gets a text message claiming he received an MMS. Received text message also contains a URL link where the multimedia message can be viewed. 

Malicious SMS received from unknown contact
Figure 1 Received SMS pointing to MazarBot
Text message translated to English: “You have received an MMS from +45XXXXXXXX. Follow the link to view the message.” Clicking on the link will lead to downloading and requesting to install the MazarBot, as a “MMS Messaging” application.
After start, the MazarBot will send the device information to the remote server such as device model, operator code, country, IMEI, all received text messages stored on the device and package names of the installed applications.

MazarBOT sending personal data to C&C
Figure 2 Communication between MazarBot and the server

The MazarBot will contact the server expecting to execute the commands received from the C&C.
MazarBot can perform these commands:

  • Send text messages
  • Intercept received text messages
  • Stop intercepting received text messages
  • Lock device
  • Unlock device 
  • Wipe data

The attacker can remotely lock the user device. The locking screen makes the user believe the system is updating. The user is automatically locked out of his device even after restarting the device. The device can be unlocked by the attacker or by entering the Safe mode.

Android Lockscreen
Figure 3 MazarBot lock screen

Phishing of MobilePay

Besides waiting for commands, the MazarBot will observe and wait for the MobilePay application to execute. If the MobilePay is launched, then the malicious code will create overlaying activity in the foreground, requesting the user to fill in personal information.

Fake MobilePay activity
Figure 4 Fake MobilePay activity

After filling in the Social Security number, mobile number and password, the MazarBot will ask to take a picture of the users NemID code card, which is a list of one-time passwords when the user logs on.
The malicious code can intercept incoming text messages and bypass the two-factor authentication by sending them to the attacker server.  

C&C server fail or when the security matters

The command and control server serves for gathering the data and naturally for controlling the bots. The MazarBot author didn’t focus on the securing it very much. The C&C was easily accessible by web interface for more than 12 hours without any protection :).

MazarBot infected devices
Figure 5 The MazarBot C&C server

Most of the compromised devices were from Denmark.

Number of infected Android devices
Figure 6 Early C&C statistics translated by Google

More information

Server providing the MazarBot was registered on February 16, 2016.
The C&C server with already implemented login page:
VirusTotal detection rate here.