Android Mazarbot spreads via phishing pages for Raiffeisen Bank
SonicWall Capture Labs Threat Research team observed yet another Android malware campaign that targets a bank , this time the target being Raiffeisen Bank. This campaign uses the Android banking trojan MazarBot – which first made its appearance in 2016 – to infect the victim’s device. This malware has capabilities of executing a number of hard-coded commands which are focused on stealing the victim’s personal information.
Infection Cycle – Stage I
The victim receives a spam email requesting him to enter the Raiffeisen banking login credentials. The credentials are stolen and sent to the attacker if the user is not careful enough and trusts the fake webpage to be authentic. The next page requests the victim to install an Android security app related to Raiffeisen, which is essentially Mazarbot in disguise. The app was hosted on the following URL which has now been taken down:
hxxp://banking.raiffeisen.at.updateid0891203.pw/download.php
Infection Cycle – Stage II
The malware app requests for the following permissions during installation:
- change network state
- uses policy force lock
- bluetooth
- internet
- access fine location
- send sms
- write sms
- access network state
- write external storage
- get package size
- read external storage
- receive boot completed
- vibrate
- call phone
- write settings
- read phone state
- read sms
- battery stats
- access wifi state
- wake lock
- change wifi state
- receive sms
- read contacts
- use sip
Upon execution the malware requests for Device Administrative privileges:
We analyzed a couple of malicious samples belonging to this campaign, the code in each one of them follows different format. However every sample shares a common trait – the code is confusing to follow because of jumbled class and variable names:
There are a number of hardcoded commands in these samples, for one such sample the malware masquerades these commands in the code by appending **83Y**:
De-obfuscating this part of the code reveals a number of hardcoded commands indicating that this malware follows a bot structure, some of the interesting findings are as follows:
- aT = a(“Bot is not able to run that command”);
- bc = a(“get_packages”);
- bd = a(“get_device_model”);
- be = a(“get_os_ver”);
- bf = a(“get_number”);
- bg = a(“get_operator”);
- bh = a(“get_imei”);
- bi = a(“get_country”);
- bj = a(“get_contacts”);
- bk = a(“get_language”);
- dj = a(“imei”);
- dl = a(“getSimOperatorName”);
- dm = a(“getNetworkOperatorName”);
- bn = a(“mastercard”);
- bo = a(“visa”);
- bp = a(“amex”);
- bq = a(“Incorrect credit card number”);
- cf = a(“send_card_number”);
- cg = a(“number”);
- ch = a(“month”);
- ci = a(“year”);
- cj = a(“cvc”)
- ck = a(“com.paypal.android.p2pmobile”); – Paypal
- cl = a(“com.android.vending”); – Google Play
- cV = a(“base_sms_intercept”);
- cW = a(“createFromPdu”);
- cX = a(“processIncomingMessages”);
- dk = a(“getMessageBody”);
- cS = a(“UploadContactsRequest”);
- cT = a(“inject_id”);
- cU = a(“body”);
- es = a(“isDeb”);
- et = a(“generic”);
- eu = a(“unknown”);
- ev = a(“google_sdk”);
- ew = a(“Emulator”);
- ex = a(“Android SDK built for x86”);
- ey = a(“Genymotion”);
- ez = a(“sdk”);
- eA = a(“sdk_x86”);
- eB = a(“vbox86p”);
- eC = a(“golfdish”);
- eD = a(“ranchu”);
- eE = a(“android|emergency calls only|fakecarrier”);
- eF = a(“Debug”);
- eG = a(“ugger”);
- bB = a(“screen_lock”);
Grab device related information
Capture Credit Card related information
Monitor specific apps
Capture SMS messages related commands
Tamper contacts detail
Check if the malware is being run on a virtual environment/debugger
Overall this campaign uses phishing pages for Raiffeisen Bank to spread its infection. It focuses on stealing sensitive user related information which is stored on the infected device. It is likely that this campaign spreads via other phishing webpages belonging to other banks/establishments.
SonicWall Capture Labs Threat Research team provides protection against this threat via the following signatures:
- GAV: AndroidOS.Banker.RF (Trojan)
- GAV: AndroidOS.Banker.TN (Trojan)
