SMS Android malware roots and hijacks your device - unless you are Russian

A fresh strain of mobile malware has been discovered which is able to root devices, hijack sessions and completely wipe system data.
Written by Charlie Osborne, Contributing Writer

Android-based mobile malware which is able to give itself admin privileges and completely take over aspects of a smartphone's functionality has been discovered in the wild, researchers say.

According to security specialist Andra Zaharia from Heimdal Security, the malware, dubbed Mazar Android BOT, spreads via SMS and MMS messages. Crafted with a malicious link, the message reads:

"You have received a multimedia message from +[country code] [sender number] Follow the link http: //www.mmsforyou [.] Net / mms.apk to view the message."

This message links to an Android application package (APK). The user is then prompted to download the package, which is given a generic name -- "MMS Messaging" -- to make the potential victim more likely to trust the download.

If installed, the malicious code hidden within grants itself administrator rights on an Android device, giving attackers the option to send premium messages without consent, hijack browser sessions, root the device, monitor phone and text messages and retrieve device data.

In addition, but perhaps most crucially, Mazar can also completely erase the infected device and all information stored within, as well as read authentication codes sent to the device as part of two-factor authentication systems used by online banking and social media accounts.

In a blog post, Zaharia said the spread of the malware and its geographical targets are currently unknown. The Mazar APK was first spotted in November 2015 by Recorded Future, which noted the malware was able to download and run TOR on infected devices before connecting to hidden Onion servers and the malware's command and control (C&C) centers.

However, the malware's capabilities worsen. The cybercriminals behind Mazar also have implemented the "Polipo HTTP proxy," a way to give them access to additional functionalities within an Android device.

According to GitHub, the HTTP proxy not only provides useful functionality such as speeding up mobile browsing, but is also able to cache Web pages for offline access. In other words, an attacker using Mazar can also view the victim's browsing history and launch Man-in-the-Middle (MITM) attacks to monitor traffic and hijack browser sessions.

Add this to the fact Mazar can also inject itself into the mobile Chrome browser, and victim sessions are left utterly vulnerable to exploit.

An element of interest is that the malware will target Android phones indiscriminately, but is not able to download and run on devices based on the Russian language. Mazar implements a data process which pulls up a device's listed country and the APK will stop if it detects the smartphone is owned by a Russian user.

While Mazar has been on sale in the Dark Web for some time, the researchers say this is the first time they have seen the malware used in active campaigns. The team notes:

"Attackers may be testing this new type of Android malware to see how they can improve their tactics and reach their final goals, which probably is making more money (as always).
We can expect this malware to expand its reach, also because of its ability to remain covert by using TOR to hide its communication."

In order to protect yourself from such threats, you should never click on links sent by SMS or MMS message services.

Read on: Top picks

Editorial standards