{
	"id": "83dedb49-d2b2-4692-98a7-caadf06cb810",
	"created_at": "2026-04-06T00:06:40.325019Z",
	"updated_at": "2026-04-10T13:11:40.756215Z",
	"deleted_at": null,
	"sha1_hash": "4f318343f81a9f68d23d9f28acf33b3696c24e8d",
	"title": "Mazar BOT – the Android Malware That Can Erase Your Phone",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 488959,
	"plain_text": "Mazar BOT – the Android Malware That Can Erase Your Phone\r\nBy Andra Zaharia\r\nPublished: 2016-02-12 · Archived: 2026-04-05 13:51:49 UTC\r\nIn February 2016, our team at Heimdal Security analyzed a text message sent to random mobile numbers. The\r\nGeographical extent was not known at the time, so caution was advised.\r\nThe SMS / MMS in question arrived with the following contents (sanitized by Heimdal Security):\r\nYou have received a multimedia message from +[country code] [sender number] Follow the link http:\r\n//www.mmsforyou [.] Net / mms.apk to view the message.\r\nIf the APK (which is a program file for Android) is run on an Android-powered smartphone, then it will gain\r\nadministrator rights on the victim’s device. This will allow the attackers to:\r\nSEND_SMS\r\nRECEIVE_BOOT_COMPLETED\r\nINTERNET\r\nSYSTEM_ALERT_WINDOW\r\nWRITE_SMS\r\nACCESS_NETWORK_STATE\r\nWAKE_LOCK\r\nGET_TASKS\r\nCALL_PHONE\r\nRECEIVE_SMS\r\nREAD_PHONE_STATE\r\nREAD_SMS\r\nERASE_PHONE\r\nhttps://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/\r\nPage 1 of 6\n\nOur team has identified the malicious APK to be the Mazar Android BOT, a threat also that Recorded Future\r\nspotted in November 2015. The malicious packet (APK) retrieves TOR and installs it on the victim’s phone via\r\nthe following harmless URLs: https: //f-droid.org/repository/browse/?fdid=org.torproject.android https:\r\n//play.google.com/store/apps/details?id=org.torproject.android In the next phase of the attack, the infection will\r\nunpack and run the TOR application, which will then be used to connect to the following server: http: //\r\npc35hiptpcwqezgs [.] Onion. After that, an automated SMS will be sent to the number 9876543210 (+98 is the\r\ncountry code for Iran) with the text message: “Thank you”. The catch is that this SMS also includes the device’s\r\nlocation data.\r\nInsidious mobile malware with crippling options\r\nThis specific mobile malware opens the doors to all kinds of malicious consequences for the victim. Attackers\r\ncan:\r\nOpen a backdoor into Android smartphones, to monitor and control them as they please;\r\nSend SMS messages to premium channel numbers, seriously increasing the victim’s phone bill;\r\nRead SMS messages, which means they can also read authentication codes sent as part of two-factor\r\nauthentication mechanisms, used also by online banking apps and ecommerce websites;\r\nhttps://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/\r\nPage 2 of 6\n\nUse their full access to Android phones to basically manipulate the device to do whatever they want.\r\nAnd it gets worse.\r\nPolipo proxy and Man-in-the-Middle Attack\r\nThe attackers behind Mazar BOT also implemented the “Polipo proxy“, which gives them additional access to\r\neven more Android functionalities.\r\nPolipoid brings the Polipo HTTP proxy to Android. Polipo lets you do useful things such as cache web\r\npages for offline access and should generally speed up browsing a little.\r\nSource: Github Through this proxy, cyber criminals can change the traffic and interpose themselves between the\r\nvictim’s phone and a web-based service. This effectively becomes a Man-in-the-Middle attack. Here’s how it\r\nhappens: Data is copied to your phone as mp3 files: 122.933 polipo.mp3 1,885,100 tor.mp3 Then, the proxy is\r\nconfigured as you can see below: 174.398 debiancacerts.bks 574 torpolipo.conf 879 torpolipo_old.conf 212 torrc\r\n276 torrc_old For those technically inclined, the configuration of the TOR proxy will seem quite straightforward:\r\nproxy address = “127.0.0.1” proxy port = 8118 allowedClients = 127.0.0.1 allowedPorts = 1-65535 proxy name =\r\n“127.0.0.1” cacheIsShared = false socksParentProxy = “127.0.0.1:9050” socksProxyType = socks5\r\ndiskCacheRoot = “” localDocumentRoot = “” disableLocalInterface = true disableConfiguration = true\r\ndnsUseGethostbyname = yes disableVia = true from, accept-language, x-pad link censor referer = maybe\r\nmaxConnectionAge = 5m maxConnectionRequests = 120 serverMaxSlots = 8 server slots = 2 tunnelAllowedPorts\r\n= 1-65535 chunkHighMark = 11000000 object high mark = 128\r\nAn even higher degree of compromise: Chrome injects\r\nAs if it weren’t enough that it can stop calls and launch other aggressive commands on the victim’s phone,\r\nMazar BOT is also capable of injecting itself into Chrome.\r\nAnd there are several other settings and commands that Mazar BOT can trigger, as showcased below. These\r\ninclude:\r\nControlling the phone’s keys\r\nEnabling the sleep mode\r\nSave actions in the phone’s settings, etc.\r\nhttps://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/\r\nPage 3 of 6\n\nMazar BOT won’t run on Russian Android smartphones\r\nOur team was not surprised to observe that the malware cannot be installed on smartphones running Android\r\nwith the Russian language option. Mazar BOT will check the phone to identify the victim’s country and this will\r\nstop the malicious APK if the targeted phone turns out to be owned by a Russian user: locale.getCountry ()\r\nequalsIgnoreCase ( “RU”)) Process.killProcess (Process.myPid ());\r\nUntil now, Mazar BOT has been advertised for sale on several websites on the Dark Web, but this is the\r\nfirst time we’ve seen this code be abused in active attacks. Attackers may be testing this new type of Android\r\nmalware to see how they can improve their tactics and reach their final goals, which probably is making more\r\nhttps://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/\r\nPage 4 of 6\n\nmoney (as always). We can expect this malware to expand its reach, also because of its ability to remain covert by\r\nusing TOR to hide its communication. As you may have anticipated, antivirus detection of the malicious APK\r\nis very low: 3/54 on VirusTotal.\r\nClick here for the full infection rates at the time the campaign was analyzed.\r\nHow to protect yourself from Mazar BOT\r\nThere are a few things you can do to keep your phone safe from Mazar BOT, and we recommend you take a\r\nmoment now to verify and adjust these settings.\r\n1. First of all, NEVER click on links in SMS or MMS messages on your phone. Android phones are\r\nnotoriously vulnerable and current security product dedicated to this OS are not nearly as effective as they are on\r\ncomputers.\r\n2. Go to Settings \u003e Security and make sure this option is turned OFF: „Unknown Sources – Allow installation\r\nof apps from sources other than the playstore.”\r\n3. Install a top antivirus for Android. It may not be enough to protect your phone, but it’s certainly good to\r\nhave. You can find top-rated options in this article.\r\n4. Do not connect to unknown and unsecured Wi-Fi hotspots. There are plenty of dangers lurking out there,\r\nand following some common-sense steps to keep yourself safe from them is the best thing to do. Also, keep your\r\nWi-Fi turned OFF when you don’t use it.\r\nhttps://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/\r\nPage 5 of 6\n\n5. Install a VPN on your smartphone and use constantly. It’s good for both your privacy and your security.\r\n6. Maintain a cautious attitude at all times. Android security has not kept up with the high adoption rate of\r\nsmartphones running the OS, and users may have to wait a long time until better security solutions appear. Until\r\nthen, a careful evaluation of what happens on your phone is a very good safeguard.\r\nNewsletter\r\nIf you liked this post, you will enjoy our newsletter.\r\nGet cybersecurity updates you'll actually want to read directly in your inbox.\r\nAs a Security Specialist at Heimdal Security, Andra has made it her mission to help users understand how cyber\r\nsecurity works and why it’s essential for any Internet user in the world. Using her background in PR and\r\ncommunication, she singles out relevant subjects and extracts actionable market data and key examples to\r\nillustrate them.\r\nSource: https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/\r\nhttps://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/"
	],
	"report_names": [
		"security-alert-mazar-bot-active-attacks-android-malware"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434000,
	"ts_updated_at": 1775826700,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4f318343f81a9f68d23d9f28acf33b3696c24e8d.pdf",
		"text": "https://archive.orkl.eu/4f318343f81a9f68d23d9f28acf33b3696c24e8d.txt",
		"img": "https://archive.orkl.eu/4f318343f81a9f68d23d9f28acf33b3696c24e8d.jpg"
	}
}