Android Mazarbot spreads via phishing pages for Raiffeisen Bank


SonicWall Capture Labs Threat Research team observed yet another Android malware campaign that targets a bank , this time the target being Raiffeisen Bank. This campaign uses the Android banking trojan MazarBot – which first made its appearance in 2016 – to infect the victim’s device. This malware has capabilities of executing a number of hard-coded commands which are focused on stealing the victim’s personal information.

Infection Cycle – Stage I

The victim receives a spam email requesting him to enter the Raiffeisen banking login credentials. The credentials are stolen and sent to the attacker if the user is not careful enough and trusts the fake webpage to be authentic. The next page requests the victim to install an Android security app related to Raiffeisen, which is essentially Mazarbot in disguise. The app was hosted on the following URL which has now been taken down:


Infection Cycle – Stage II

The malware app requests for the following permissions during installation:

  • change network state
  • uses policy force lock
  • bluetooth
  • internet
  • access fine location
  • send sms
  • write sms
  • access network state
  • write external storage
  • get package size
  • read external storage
  • receive boot completed
  • vibrate
  • call phone
  • write settings
  • read phone state
  • read sms
  • battery stats
  • access wifi state
  • wake lock
  • change wifi state
  • receive sms
  • read contacts
  • use sip

Upon execution the malware requests for Device Administrative privileges:

We analyzed a couple of malicious samples belonging to this campaign, the code in each one of them follows different format. However every sample shares a common trait – the code is confusing to follow because of jumbled class and variable names:

There are a number of hardcoded commands in these samples, for one such sample the malware masquerades these commands in the code by appending **83Y**:

De-obfuscating this part of the code reveals a number of hardcoded commands indicating that this malware follows a bot structure, some of the interesting findings are as follows:

  • aT = a(“Bot is not able to run that command”);
  • Grab device related information

  • bc = a(“get_packages”);
  • bd = a(“get_device_model”);
  • be = a(“get_os_ver”);
  • bf = a(“get_number”);
  • bg = a(“get_operator”);
  • bh = a(“get_imei”);
  • bi = a(“get_country”);
  • bj = a(“get_contacts”);
  • bk = a(“get_language”);
  • dj = a(“imei”);
  • dl = a(“getSimOperatorName”);
  • dm = a(“getNetworkOperatorName”);
  • Capture Credit Card related information

  • bn = a(“mastercard”);
  • bo = a(“visa”);
  • bp = a(“amex”);
  • bq = a(“Incorrect credit card number”);
  • cf = a(“send_card_number”);
  • cg = a(“number”);
  • ch = a(“month”);
  • ci = a(“year”);
  • cj = a(“cvc”)
  • Monitor specific apps

  • ck = a(“”); – Paypal
  • cl = a(“”); – Google Play
  • Capture SMS messages related commands

  • cV = a(“base_sms_intercept”);
  • cW = a(“createFromPdu”);
  • cX = a(“processIncomingMessages”);
  • dk = a(“getMessageBody”);
  • Tamper contacts detail

  • cS = a(“UploadContactsRequest”);
  • cT = a(“inject_id”);
  • cU = a(“body”);
  • Check if the malware is being run on a virtual environment/debugger

  • es = a(“isDeb”);
  • et = a(“generic”);
  • eu = a(“unknown”);
  • ev = a(“google_sdk”);
  • ew = a(“Emulator”);
  • ex = a(“Android SDK built for x86”);
  • ey = a(“Genymotion”);
  • ez = a(“sdk”);
  • eA = a(“sdk_x86”);
  • eB = a(“vbox86p”);
  • eC = a(“golfdish”);
  • eD = a(“ranchu”);
  • eE = a(“android|emergency calls only|fakecarrier”);
  • eF = a(“Debug”);
  • eG = a(“ugger”);
  • bB = a(“screen_lock”);

Overall this campaign uses phishing pages for Raiffeisen Bank to spread its infection. It focuses on stealing sensitive user related information which is stored on the infected device. It is likely that this campaign spreads via other phishing webpages belonging to other banks/establishments.

SonicWall Capture Labs Threat Research team provides protection against this threat via the following signatures:

  • GAV: AndroidOS.Banker.RF (Trojan)
  • GAV: AndroidOS.Banker.TN (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.