SECURITY EVANGELIST

A new Mazar BOT campaign is currently targeting Android users in Denmark and Italy. Attackers are spoofing trustworthy organizations to infected Android smartphones.

In Denmark, potential victims are receiving the SMS below:

new android malware post denmark

The SMS instructs the receiver the following:

Your package is available for pick up. Follow link to see all the information on your package:

Once clicked, the shortened link leads to www[.]fhsinsaat.com/apk/post.apk (sanitized by Heimdal Security), which downloads an Android app installation file onto the victim’s smartphone.

For the moment, antivirus detection for this link is zero (0/67), according to VirusTotal:

virus total detection rate

Cyber criminals often use shortened URLs to hide the final destination of their malicious links. Because users trust URL shortners (bit.ly being one of the most famous), they might click without thinking twice or contemplating the possibility of a cyber attack.

As for the [http://]fhsinsaat.com/ domain (sanitized by Heimdal Security), which hosts the infected file, only Bitdefender sees it as a malware site, so the detection rate is very low: only 1/67 on VirusTotal.

infected apk host detection rate

This new campaign aims to spread the Mazar BOT malware that sprawled across Europe and beyond earlier this year, in February 2016. The change is that, this time, the code is obfuscated and it’s a lot more difficult to analyze. The cyber criminals who created Mazar BOT must have learnt from previous campaigns and wanted to make it even more challenging for law enforcement and cyber security specialists to dissect the malicious code.

So far, this new Mazar BOT campaign has infected almost 400 Android devices in Denmark and 1500 in Italy.


For those who haven’t read about Mazar BOT yet, you should know that, once installed, it has the ability to:

  • write, send, receive and read SMS
  • access Internet connections
  • access the state of the network that the device is connected to
  • call phones
  • erase the phone it’s installed on and many more.

The same as in the Mazar BOT campaign we announced in February, the malware can’t be installed on smartphones running Android with the Russian language option. So we can easily infer where the makers of Mazar BOT come from.



Mobile malware – bigger and more aggressive




Unfortunately, awareness about Android malware attacks is still low and people tend to expose themselves to attacks by clicking unknown and unrequested links. According to a recent study:

97% of malware focuses the Android operating system

In September 2015, Google announced that there are 1.4 billion active Android devices in the world. So it shouldn’t come as a surprise that cyber criminals are trying to exploit vulnerabilities and cash out on this huge potential market.

Because Google’s Play store is much more accessible for app developers, cyber criminals can use this flexibility for their malicious purposes. And there are over a thousand known malware families already, which focus on Google’s mobile OS.

In this particular campaign, attackers try to gain the victims’ trust by spoofing Post Denmark’s identity, a trusted company which Danes are completely familiar with.

Post Nord and Post Denmark were often used as bait for cyber attacks in the past 6 months. We’ve reported on these spam campaigns before, as they sent thousands of spam emails trying to infected victims with ransomware such as CryptoLocker.

Using these trusted organizations to disguise their attacks must have proved to be very effective for cyber criminals, because they continue to aggressively pursue this tactic, which they’re now applying on smartphones running Android.

Since the campaign is currently under way, we might return with more details related to the infection, but this has the potential to become a global campaign.



Top 6 Essential Protection Tips against Mobile Malware




Smartphone security is an increasingly important subject, but you can start with these 6 must-have security measures:

1. NEVER click on links in SMS or MMS messages on your smartphone. This is a rule of thumb you should follow at all times. As you’ve seen, Android devices are more vulnerable than you realize, and current security solutions for the platform are not nearly as effective as we need them to be. So keep that FOMO (Fear of Missing Out) in check and use the web to navigate directly into the account you need to get the information from.

2. Go to Settings > Security and make sure this option is turned OFF: „Unknown Sources – Allow installation of apps from sources other than the Google Play store.”

This ensures that no app will be installed on your phone, unless it comes from the Google Play store. It goes without saying that you should never install apps that aren’t in the Play store, right?

3. Install a top antivirus for the Android operating system. Don’t expect mobile AV to handle all the security challenges, but use it as a security layer for your phone’s safety. Top-rated options are readily available for you to test them.

4. Never use unknown and unsecured Wi-Fi hotspots. No matter how strong temptation is, resist the urge to connect to potentially dangerous Wi-Fi networks. Cyber criminals are very skilled at using unsecured networks to hack people’s phones. Maybe you can use these Wi-Fi protection steps we outlined. Also, keep your Wi-Fi turned OFF when you don’t use it.

5. Install a VPN on your smartphone and use it at all times. You’ll get extra security and extra privacy by doing so.

6. Train yourself to be careful all the time. With almost 1.5 billion Android devices worldwide (if not more), smartphone security will have to exponentially increase its development speed to keep up. So far, the security industry is lagging behind, so Android users have to train themselves to protect their devices and, most of all, the data stored on them.

And there’s even more you can do, so we recommend you go over the smartphone security guide we published a short while ago (for situations just like these) and apply the recommendations included in it.

* This article features cyber intelligence provided by CSIS Security Group researchers.

app permissions
2016.05.11 SLOW READ

How to Master Your App Permissions So You Don’t Get Hacked – The Full Guide

smartphone security
2016.04.08 SLOW READ

Smartphone Security Guide: The Easiest Way to Keep Your Phone & Data Safe

Mazar BOT android malware
2016.02.12 QUICK READ

Security Alert: Mazar BOT Spotted in Active Attacks – the Android Malware That Can Erase Your Phone

Comments

I was stupid enough to fall for this scam and downloaded the app and installed it – but only halfway. I accepted that it could access contacts and so on (which is quite normal for apps), but next question was to allow the app to errase everything on my phone, which I of course couldnt accept. I tried to push “cancel”, but it jammed, and kept asking for that permission. I found out that if I turned off the phone and quickly went to settings -> apps I could open the “Postdanmark”-app before it started asking me for that permission and uninstall it from the phone – so I did. And I also deleted the file which I had downloaded. My question is: Has the harm been done? Has the malware been fully installed, or am I safe? Is there a way I can check whether or not my phone is infected with the malware and other people have access to it?

Hi Sigrid!

Sorry to hear about your mishap. I couldn’t tell if your phone is infected or not at this stage (although it probably is). The safest solution is to format your phone and start from scratch.

Let me know how it goes. Best of luck!

Thank you so much for your reply! I did reset my phone to its factory settings and reinstalled everything. Is there a risk that some malware have survived that operation? I mean – apps, contacts and so on was reinstalled from my google account. Can the malware be syncronised as well? I dont know how to check if everything is okay when most anti virus programmes cant detect this one.
/Sigrid

Hi Sigrid,

In theory, you should be safe. Mazar should be 100% gone after a reboot. Until now, Android malware hasn’t shown to be able to hide itself within your Google account.

As a safety precaution, go through this security check: https://security.google.com/settings/security/secureaccount

Also, make sure you never install apps from untrusted sources, and also install an Android antivirus app that you can trust (paid is always better than free).

Mazar detection has evolved since the threat appeared, and antivirus is still necessary, even if their detection rates have dropped.

Check out our smartphone security guide for more tips on how to protect your phone and data: https://heimdalsecurity.com/blog/smartphone-security-guide-keep-your-phone-data-safe/

[…] that cyber criminals use to trick their victims. We’ve seen it happen with IKEA and especially Post Denmark and PortNord. And we’ve seen not once, not twice, but tens of times in the past year […]

[…] BOT, the Android malware we reported on in February and April 2016, is proof of just that. Industry reports have been announcing an increase in mobile […]

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP