It seems like only yesterday we were in the midst of the Stagefright vulnerability which; thanks to some irresponsible coverage from mainstream media, struck fear into millions of Android users. As time goes on and the OS matures, most of the easy to exploit bugs within Android have been found and fixed so it only stands to reason that the method of exploiting these are getting more and more obscure. As this evolution has occurred, the reliance on users to do something silly has increased and the latest bug confirmed by Heimdal Security, Mazar Bot really does fit right in that box.
To fall victim; a couple of things need to go wrong for starters.
1. You will receive an SMS that goes something like this
You have received a multimedia message from +[country code] [sender number] Follow the link http: //www.mmsforyou [.] Net / mms.apk to view the message.
2. You need to be silly enough to follow the link where you will download the APK file
3. You need to have Install from Unknown Sources enabled or bypass this security setting on your phone to install the APK
Once installed the APK will have access to (on Lollipop or earlier) or request access to (Marshmallow) pretty much all of your system state and root (admin) user functions within the device
- SEND_SMS
- RECEIVE_BOOT_COMPLETED
- INTERNET
- SYSTEM_ALERT_WINDOW
- WRITE_SMS
- ACCESS_NETWORK_STATE
- WAKE_LOCK
- GET_TASKS
- CALL_PHONE
- RECEIVE_SMS
- READ_PHONE_STATE
- READ_SMS
- ERASE_PHONE
If you’re unfortunate enough to get to this point, it’s all over because the app will silently install TOR (a VPN type client) that will reidrect all of your traffic to a proxy that will capture pretty much every detail and entry on your device. This includes your devices location, contacts, emails, passwords and any other secure credentials on your device. This is what is known as a “man in the middle” attack because your phone will respond pretty normally, perhaps with some lag; but everything is being channelled through a specific location and captured for use later as required.
Perhaps a suggestion as to the origin of the malware, perhaps not but an interesting note from the team at Heimdal is that the malware does not install on phones with the language set to Russian.
How to protect yourself
Two really simple steps to follow will protect you from this particular malware. First would be to use common sense and not click on any links you get from unknown phone numbers telling you to download apps. The second is to ensure (I know I have had it open in the past) that your Install from Unknown sources tag (which you’ll find in Settings –> Security) is not turned on. If you’re really keen to add another layer of protection to your device, protecting your data you can check out some of the Android Antivirus programs that are available through the Play Store.
Ultimately this is another of the bugs or exploits that relies on a chance encounter with a user who is poorly educated as to device security, doesn’t pay attention to what they’re installing and doesn’t read what is on their screen. If you’re someone who blindly follows links you’re sent, having unknown source installation disabled will still give you a reasonable amount of protection from this malware as long as you don’t then enable it to install the apk.
Be smart, be safe and if something seems dodgy it probably is so back away slowly.
Of all the security “scares” that have been brought to light for Android, how does this one rank in your eyes?
@Phil .. Just noticed the ESM (Emergency Services Medal) after your name. What an honor. Congratulations, man.