Our team at Heimdal Security has recently analyzed a text message sent to random mobile numbers. The Geographical extent is so far unknown, so please exercise caution. The SMS / MMS in question arrives with the following contents (sanitized by Heimdal Security):

You have received a multimedia message from +[country code] [sender number] Follow the link http: //www.mmsforyou [.] Net / mms.apk to view the message.

If the APK (which is a program file for Android) is run on an Android-powered smartphone, then it will gain administrator rights on the victim’s device. This will allow the attackers to:


Our team has identified the malicious APK to be the Mazar Android BOT, a threat also that Recorded Future spotted in November 2015. The malicious packet (APK) retrieves TOR and installs it on the victim’s phone via the following harmless URLs: https: // https: // In the next phase of the attack, the infection will unpack and run the TOR application, which will then be used to connect to the following server: http: // pc35hiptpcwqezgs [.] Onion. After that, an automated SMS will be sent to the number 9876543210 (+98 is the country code for Iran) with the text message: “Thank you”. The catch is that this SMS also includes the device’s location data.


Insidious mobile malware with crippling options

This specific mobile malware opens the doors to all kinds of malicious consequences for the victim. Attackers can:

  • Open a backdoor into Android smartphones, to monitor and control them as they please;
  • Send SMS messages to premium channel numbers, seriously increasing the victim’s phone bill;
  • Read SMS messages, which means they can also read authentication codes sent as part of two-factor authentication mechanisms, used also by online banking apps and ecommerce websites;
  • Use their full access to Android phones to basically manipulate the device to do whatever they want.

And it gets worse.


Polipo proxy and Man-in-the-Middle Attack

The attackers behind Mazar BOT also implemented the “Polipo proxy“, which gives them additional access to even more Android functionalities.

Polipoid brings the Polipo HTTP proxy to Android. Polipo lets you do useful things such as cache web pages for offline access and should generally speed up browsing a little.

Source: Github Through this proxy, cyber criminals can change the traffic and interpose themselves between the victim’s phone and a web-based service. This effectively becomes a Man-in-the-Middle attack. Here’s how it happens: Data is copied to your phone as mp3 files: 122.933 polipo.mp3 1,885,100 tor.mp3 Then, the proxy is configured as you can see below: 174.398 debiancacerts.bks 574 torpolipo.conf 879 torpolipo_old.conf 212 torrc 276 torrc_old For those technically inclined, the configuration of the TOR proxy will seem quite straightforward: proxy address = “” proxy port = 8118 allowedClients = allowedPorts = 1-65535 proxy name = “” cacheIsShared = false socksParentProxy = “” socksProxyType = socks5 diskCacheRoot = “” localDocumentRoot = “” disableLocalInterface = true disableConfiguration = true dnsUseGethostbyname = yes disableVia = true from, accept-language, x-pad link censor referer = maybe maxConnectionAge = 5m maxConnectionRequests = 120 serverMaxSlots = 8 server slots = 2 tunnelAllowedPorts = 1-65535 chunkHighMark = 11000000 object high mark = 128


An even higher degree of compromise: Chrome injects

As if it weren’t enough that it can stop calls and launch other aggressive commands on the victim’s phone, Mazar BOT is also capable of injecting itself into Chrome. mazar bot chrome inject And there are several other settings and commands that Mazar BOT can trigger, as showcased below. These include:

  • Controlling the phone’s keys
  • Enabling the sleep mode
  • Save actions in the phone’s settings, etc.

mazar bot's sourcer


Mazar BOT won’t run on Russian Android smartphones

Our team was not surprised to observe that the malware cannot be installed on smartphones running Android with the Russian language option. Mazar BOT will check the phone to identify the victim’s country and this will stop the malicious APK if the targeted phone turns out to be owned by a Russian user: locale.getCountry () equalsIgnoreCase ( “RU”)) Process.killProcess (Process.myPid ()); mazar bot analysis Until now, Mazar BOT has been advertised for sale on several websites on the Dark Web, but this is the first time we’ve seen this code be abused in active attacks. Attackers may be testing this new type of Android malware to see how they can improve their tactics and reach their final goals, which probably is making more money (as always). We can expect this malware to expand its reach, also because of its ability to remain covert by using TOR to hide its communication. As you may have anticipated, antivirus detection of the malicious APK is very low: 3/54 on VirusTotal. MazarBOT virustotal detection February 12 2016 snippet Click here for the full infection rates at the time the campaign was analyzed.


How to protect yourself from Mazar BOT

There are a few things you can do to keep your phone safe from Mazar BOT, and we recommend you take a moment now to verify and adjust these settings. 1. First of all, NEVER click on links in SMS or MMS messages on your phone. Android phones are notoriously vulnerable and current security product dedicated to this OS are not nearly as effective as they are on computers. 2. Go to Settings > Security and make sure this option is turned OFF: „Unknown Sources – Allow installation of apps from sources other than the playstore.”

3. Install a top antivirus for Android. It may not be enough to protect your phone, but it’s certainly good to have. You can find top-rated options in this article. 4. Do not connect to unknown and unsecured Wi-Fi hotspots. There are plenty of dangers lurking out there, and following some common-sense steps to keep yourself safe from them is the best thing to do. Also, keep your Wi-Fi turned OFF when you don’t use it.

5. Install a VPN on your smartphone and use constantly. It’s good for both your privacy and your security. 6. Maintain a cautious attitude at all times. Android security has not kept up with the high adoption rate of smartphones running the OS, and users may have to wait a long time until better security solutions appear. Until then, a careful evaluation of what happens on your phone is a very good safeguard.

Smartphone Security Guide: The Easiest Way to Keep Your Phone & Data Safe

How to Master Your App Permissions So You Don’t Get Hacked – The Full Guide

Security Alert: Mazar BOT Infects Users in Denmark and Italy [Updated]


Thank you for providing this information. Android phones are my favourite. This problem will be quite beneficial to me.

I’m impressed, I must say. Rarely do I encounter a blog that’s equally educative and amusing, and without a doubt, you’ve hit the nail on the head. The issue is something which too few men and women are speaking intelligently about. I’m very happy I stumbled across this in my hunt for something relating to this.|

Valuable information. Lucky me I discovered your site unintentionally, and I’m shocked why this accident didn’t took place earlier! I bookmarked it.|

Hi there to every body, it’s my first pay a visit of this web site; this web site includes amazing and truly fine stuff designed for visitors.|

Users will go crazy for the android. though Android is a more reliable feature and easy to use

Thanks for your information. I love android phones. This problem will help me a lot.

Thanks on your marvelous posting! I genuinely enjoyed reading it,
you may be a great author.I will always bookmark your blog and definitely will come back in the foreseeable
future. I want to encourage continue your great work, have a nice morning!

whoah this weblog is wonderful i love reading your articles.

Stay up the great work! You realize, lots of persons are looking around for this information,
you could help them greatly.

Hello and many thanks for your kind words! It means a lot to us! We’ll continue to concentrate our efforts on delivering useful content and actionable tips for our readers.

hey there — I happened to acquire a C2 related to mazarbot — and I was curious if you had a moment to chat?

Does this virus can attack IOS also ?

Thanks for this great article !

Hi Marku! For the moment, Mazar only targets Android devices. They are the most vulnerable and Android malware has become a huge threat in the past years.

BUT what to do if it has infected your phone?

How about you add “disable access to links in SMS/MMS settings” to your list of precautions?

The usual stuff… common sense and Google play, then your good to go..
How can it get admin (root access ) without a rooted device.?

So in order to get infected:

1) you get a random dodgy looking text from a random number.
2) You then have to tap on the dodgy looking link
3) it then pops up showing it’s downloading something dodgy
4) then (assuming install applications from unknown sources is turned on which it isn’t by default)
5) you then get the app install screen pop up for a program that’s already installed
6) You then click on install on that *and then* you will have officially been hacked

If you do this I’d recommend handing your phone in to the nearest police station and requesting sterilisation from the human race. Literally too stupid to use a phone.

Exactly..thats why Google Play and common sense is good to go.

You do know that “unknown sources install” is disabled by default, right?

Thank you for such a necessary and most informative guide for our safety.

Leave a Reply

Your email address will not be published. Required fields are marked *