Wednesday, February 24, 2016

Android MazarBot stealing credit card information in Italy with certified issued by Putin



It looks like the MazarBot is a very persistent botnet focusing on selected countries. The last time it was Denmark, now it is reaching into the pockets of Italian people. The MazarBot is trying to lure detail credit card information on behalf of WhatsApp application and send them to the remote server. 

 

credit cards


The MazarBot is spreading by a URL link to a fake “Browser Chrome” application. The scam web page is very similar to the official Google Play Store one. An unexperienced user will not notice any difference between Google Play and this fake web page, except the address bar. The Web page text is written in Italian, including the fake user comments.

phishing web page
Figure 1 Scam web page

The infection vector is bit different as it was in its earlier versions, but the malicious functionality and C&C server communication stayed the same.

Analysis

After loading this scam web page, the MazarBot will be automatically downloaded. This time it pretends to be “GooglePlay Update”.

Manual installation request
Figure 2 Install request

As it was in the earlier versions, firstly it will contact the remote server with the device and personal information, then waits for a particular application till it gets executed. In this case, the MazarBot will stay in the background until the WhatsApp app is launched. If WhatsApp is executed then the MazarBot overlays the original activity and get itself to the foreground. Phishing activity requests the user to verify the credit card information and sends them to the attacker server. 

Scam activity requires to fills in credit card information
Figure 3 MazarBot requesting credit card data


Client server communication
Figure 4 Credit card data sent to the server
 
Backdoor functionality is implemented as well. The MazarBot can perform these actions on the infected device:

  • Intercept received text messages
  • Stop intercepting received text messages
  • Lock device
  • Unlock device
  • Wipe data

By remotely locking the device, the user will lose the control over it and can’t perform any actions. The device will be locked until the attacker unlocks it or by entering the Safe mode. The lock screen pretends to be an Android system update with the text written only in Italian.
Original text: “Aggiornamento del sistema in corso. Attendere prego…”
Translated to English: “Upgrading the current system. Please wait…”

Lock screen
Figure 5 Fake lock screen

Based on the data found on the malicious server, the scam webpage can masquerade itself as many other applications with the different language variations, not only “Browser Chrome”. All of these fake web pages have a look and feel of the official Google Play Store application.
Scam web pages with language mutation:

  • Viber PRO+ (Russian)
  • Chrome Browser (Russian)
  • Viber PRO+ (English)
  • Android 6.2 Beta (English)
  • Chrome-Browser (German)
  • Browser Chrome (Italian)
  • Chrome 浏览 (Chinese)
  • Android 6.2 Beta (Spanish)
  • Android 6.2 Beta (Thai)
  • Android 6.2 Beta (Portuguese)
  • Android 6.2 Beta (Turkish)
  • Android 6.2 Beta (Vietnamese)


In the future MazarBot can obtain even more potential bots from these specific world regions and expand its botnet.  

More information

This time MazarBot isn’t created by some malicious developer but based on certificate, it’s issued by Vladimir Putin himself. The developer misused his name to sign the certificate of this Italian version of the MazarBot.

Android malware with certificate signed by Vladimir Putin
Figure 6 Certificate issued by Vladimir Putin

C&C server http://162.220.246.24/
VirusTotal samples:

If you are interested you can download MazarBot samples from Koodous Project for free:


4 comments:

  1. Hi Lukas from Cadiz! My name is Lucas like you! I love malware, reversing, etc but I am very newbie ;( How can I sniff my mobile wifi traffic with wireshark ? I only get sniff my laptop(thats running wireshark), but it doesn't take anothers wifi devices, only see the broadcast request.

    Thanks my friend ;)

    ReplyDelete
  2. Hello Lucas! If you want to catch mobile traffic I recommend you this great tool https://play.google.com/store/apps/details?id=jp.co.taosoftware.android.packetcapture. It can capture whole mobile traffic or capture only specific application communication. Hope it helps, best regards Lucas!

    ReplyDelete
  3. Thank you for sharing such great information. It was very informative and has help me in finding out more detail about Credit Card!

    ReplyDelete
  4. Yes, you are absolutely correct...And it is very informative and very clear and easy to understand..
    read more

    ReplyDelete