{
	"id": "1a7d0bab-a0de-4e97-94be-c81d6d739753",
	"created_at": "2026-04-06T02:11:01.771291Z",
	"updated_at": "2026-04-10T13:12:19.922693Z",
	"deleted_at": null,
	"sha1_hash": "847018ea6060803b916317bc13092a64ede2e22a",
	"title": "Android users warned of malware attack spreading via SMS | Tripwire",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49081,
	"plain_text": "Android users warned of malware attack spreading via SMS |\r\nTripwire\r\nBy Graham Cluley\r\nPublished: 2016-02-16 · Archived: 2026-04-06 01:34:18 UTC\r\nSecurity researchers are warning owners of Android smartphones about a new malware attack, spreading via SMS\r\ntext messages. As the team at Scandinavian security group CSIS describes, malware known as MazarBOT is being\r\ndistributed via SMS in Denmark and is likely to also be encountered in other countries. Victims' first encounter\r\nwith the malware reportedly comes via an unsolicited text message that their Android smartphone receives. The\r\ntxt message uses social engineering to dupe unsuspecting users into clicking on a link to a downloadable Android\r\napplication. CSIS provided a (sanitised) version of a typical message to warn users what to look out for:\r\n\"You have received a multimedia message from +[country code] [sender number] Follow the link\r\nhttp://www.mmsforyou[.]net/mms.apk to view the message\"\r\nOnce the APK package is downloaded, potential victims are urged to grant the malicious app a wide range of\r\npermissions on their Android device:\r\nSEND_SMS\r\nRECEIVE_BOOT_COMPLETED\r\nINTERNET\r\nSYSTEM_ALERT_WINDOW\r\nWRITE_SMS\r\nACCESS_NETWORK_STATE\r\nWAKE_LOCK\r\nGET_TASKS\r\nCALL_PHONE\r\nRECEIVE_SMS\r\nREAD_PHONE_STATE\r\nREAD_SMS\r\nERASE_PHONE\r\nOnce installed, MazarBOT downloads a copy of Tor onto users' Android smartphones and uses it to connect\r\nanonymously to the net before sending a text message containing the victim's location to an Iranian mobile phone\r\nnumber. With the malware now in place, a number of actions can be performed, including allowing attackers to\r\nsecretly monitor and control smartphones via a backdoor, send messages to premium-rate numbers, and intercept\r\ntwo-factor authentication codes sent by online banking apps and the like. In fact, with full access to the\r\ncompromised Android smartphone, the opportunities for criminals to wreak havoc are significant – such as erasing\r\ninfected phones or launching man-in-the-middle (MITM) attacks. In its analysis, CSIS notes that MazarBOT was\r\nreported by Recorded Future last November as being actively sold in Russian underground forums and\r\nhttps://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/\r\nPage 1 of 2\n\nintriguingly, the malware will not activate on Android devices configured with Russian language settings. This, in\r\nitself, does not prove that the perpetrators of the malware campaign are based in Russia, but it certainly sounds as\r\nif that is a strong possibility. Malware authors in the past have often coded a \"safety net\" into their malware to\r\nprevent them from accidentally infecting their own computers and devices. For more detailed information about\r\nthe threat, check out the blog post from CSIS. And, of course, remember to always be wary of unsolicited, unusual\r\ntext messages and installing apps from third-party sources on your Android smartphone.   Editor’s Note: The\r\nopinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect\r\nthose of Tripwire, Inc.\r\nflickr photo shared by Johan Larsson under a Creative Commons ( BY ) license\r\nSource: https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/\r\nhttps://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/"
	],
	"report_names": [
		"android-malware-sms"
	],
	"threat_actors": [],
	"ts_created_at": 1775441461,
	"ts_updated_at": 1775826739,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/847018ea6060803b916317bc13092a64ede2e22a.pdf",
		"text": "https://archive.orkl.eu/847018ea6060803b916317bc13092a64ede2e22a.txt",
		"img": "https://archive.orkl.eu/847018ea6060803b916317bc13092a64ede2e22a.jpg"
	}
}