Skip navigation
A data security professional scrolls through their phone with their laptop open in the background.
industry news

Android Device Malware Spotted in Active Attacks

A bot by the name of Mazar that targets Android devices has been spotted in active attacks against users. The malware gains full administrative rights to Android devices, plus installs Tor and a proxy app for data interception attacks, according to research from Heimdal Security.

A link to download the malicious Android application package (APK) is sent via SMS and MMS message. An APK is the package file format used by Android to distribute and install mobile apps, similar to Windows .exe files used to install software. The malicious APK installs Tor on the phone, then sends the device location back to the attacker’s command and control server, notifying them the install was successful.

Then users are prompted to install another app that appears benign - named MMS Messaging, this program requests admin privileges, according to

The Damage: Administrative Rights and Browser Injection

According to Threatpost, the malware allows attackers to spy on Android phones, and establish a backdoor connection. The malware can gain boot persistence, meaning it can still run even after a device reboot. The attackers can also send and read messages (including authentication passcodes sent for two-factor authentication), and even wipe the phone’s data.

Mazar then installs another app called Polipo HTTP proxy which enables man-in-the-middle attacks (MiTM) and traffic sniffing. Polipo is an app that allows Android users to create a cache for web links to access them offline and increase browsing speed, but attackers can also use it to modify traffic and launch MiTM attacks.

The malware can also inject itself into Google’s Chrome browser, allowing attackers to control a smartphone’s keys, enable sleep mode and save actions in the phone’s settings.

Interestingly enough, it appears that there are some geolocation controls built into the malware - it’ll check to see if the phone is owned by a Russian user, then stop the malicious APK from deploying if that’s the case.

Avoiding Complete Android Device Pwnage

A few security tips from Heimdal Security include:

  • Never click on links in SMS or MMS messages on your phone
  • Turn off the security setting that allows your phone to install apps from any other source than the official Google Play Store
  • Install a VPN on your smartphone
  • Don’t connect to unknown and unsecured Wi-Fi hotspots

The first tip is an important lesson for anyone - don’t click on links in MMS messages on your phone, even if you think you might know the sender, and especially if you don’t. It’s possible an attacker can disguise a message to appear to come from a credible source, or even hack and remotely send text messages from a legitimate contact of yours. It’s better to be safe and not download the message, rather than getting your smartphone completely compromised.

And the same goes for links sent in emails - it’s an easy way to redirect users to execute an exploit kit or download malware to their devices. That can introduce a serious security risk to your company if a compromised user connected to your company’s applications and network. An attacker could transfer malware to your company and access sensitive business information.

Outdated operating systems, browsers and plugins are often easily exploited leveraging known vulnerabilities. Here’s a few tips on how to mitigate risks posed by out-of-date Android devices, from Duo Analytics: Android Device Security:

  • Warn users that Android updates aren’t automatically deployed on a timely basis - it can take weeks or months for non-Nexus devices to get updates via hardware OEMs or carriers
  • Recommend that users use Nexus devices that receive more frequent and direct platform update support that doesn’t depend on carrier/OEM deployment
  • Detect users with missing supported security updates, and encourage them to run updates at a convenient time

Duo allows administrators to block devices running outdated versions, further reducing your risk of malware infection and a subsequent breach from a device connecting to your company’s network. Learn more about Device Insight and Policy and Controls.