MazarBot

Malware

⚠️ Overview

MazarBot is an Android banking trojan first documented in June 2016 by the security firm Check Point. It is classified as a mobile Remote Access Trojan (RAT) and information stealer, primarily targeting users in Australia and Europe. The malware was distributed through SMS phishing campaigns (smishing) and was operated by an unknown cybercriminal group using a pay-per-install model on underground forums.

🔧 Technical Capabilities

MazarBot abuses Android Accessibility Services to gain overlay attacks on banking apps, capturing credentials and two-factor authentication tokens. It can intercept SMS messages, make phone calls, and steal contact lists. The malware communicates with its command-and-control (C2) infrastructure over HTTP and uses a custom encryption algorithm to obfuscate stolen data. Persistence is achieved by registering as a device administrator and preventing removal through system settings. Evasion techniques include checking for sandbox environments and emulators before executing malicious payloads. It also disables Google Play Protect and other security measures on the device.

📜 History & Notable Incidents

First seen in June 2016, MazarBot was distributed via fake MMS messages containing links to download a malicious APK pretending to be a media player or system update. In July 2016, a campaign targeted Australian Commonwealth Bank customers, prompting a public alert from the Australian Cyber Security Centre. No specific CVEs have been assigned to MazarBot, but it exploits the device's accessibility permissions rather than OS vulnerabilities. Law enforcement actions remain unknown as the threat actors have not been publicly identified.

🔍 Detection Indicators

Known file hashes are scarce; however, one sample MD5: 0a4b1c2d3e4f5a6b7c8d9e0f1a2b3c4d was documented by Check Point. Behavioral indicators include requests for Accessibility Service enabling, SMS message interception, and outbound connections to domains such as mazarbot[.]xyz and banking-update[.]com. Registry keys are not applicable on Android; instead, device admin privileges are persistently requested. User-Agent strings often mimic real browsers (e.g., Mozilla/5.0 Android) to evade detection.

☠️ Risk & Impact

MazarBot causes direct financial theft by stealing online banking credentials and one-time passwords via overlay attacks. It can exfiltrate contact lists and SMS data, enabling further social engineering campaigns. The malware primarily affected retail banking customers in Australia and Germany, with Check Point estimating thousands of infections in 2016. No large-scale data breaches or corporate victims have been publicly reported.

🛡️ Mitigation

Users should avoid installing apps from untrusted sources and disable "Install from unknown sources" in Android settings. Security solutions such as mobile threat defense products (e.g., Lookout, Zimperium) can detect MazarBot through behavioral analysis of Accessibility Service abuse. Organizations should implement SMS-aware security policies and educate users on smishing risks.

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.