Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0303: MazarBOT

MazarBOT is Android malware that was distributed via SMS in Denmark in 2016. [1]

MobileS0303MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

MazarBOT matters because it shows how mobile malware can turn a personal or corporate Android device into a business risk through SMS-based distribution, SMS message access, and traffic generation from the victim device. For leaders, the practical issue is not this specific 2016 Denmark campaign alone; it is whether mobile governance, user reporting, SMS-related permissions, and incident response processes can recognize and contain malware that abuses messaging channels.

Executive priority

Treat this as a mobile security readiness and evidence question: do you know which business users rely on Android devices, whether SMS is used in identity or operational workflows, and whether your teams can investigate suspicious SMS distribution or unauthorized traffic from mobile devices? This behavior can affect fraud exposure, account recovery risk, user trust, and compliance evidence around mobile endpoint controls, especially where bring-your-own-device or lightly managed devices are in scope.

Technical view

ATT&CK provides no official detection text and no tactics for MazarBOT, so SOC and IR teams should validate coverage using the relationship context: SMS Messages (T1636.004) and Generate Traffic from Victim (T1643). Defensive validation should focus on Android devices and on evidence that an app requested or used SMS-related capabilities, accessed SMS content where permitted, or generated outbound SMS/web traffic inconsistent with normal user activity. Because the object is sparse, detection should be environment-driven rather than signature-only.

Likely telemetry

  • Mobile device management or enterprise mobility management inventory for Android devices and installed applications
  • Android application permission records, especially SMS-related permissions such as SEND_SMS where available
  • Mobile security or endpoint telemetry showing suspicious app installation, permission use, or risky behavior
  • Carrier, billing, or telecom records showing unusual outbound SMS activity or traffic patterns
  • User reports of unexpected SMS messages, links, prompts, charges, or device behavior

Detection direction

  • Confirm whether mobile telemetry can identify apps with SMS access or SMS-sending capability on Android devices.
  • Correlate unusual outbound SMS or web traffic from a device with recent app installation, permission changes, or user-reported SMS lures.
  • Account for false positives from legitimate messaging, carrier, authentication, or business communication apps that may use SMS permissions.
  • Do not assume iOS SMS access is equivalent: the related technique notes no standard iOS API for SMS access, with additional risk only in rooted or jailbroken conditions.
  • Build triage playbooks for SMS-distributed mobile malware reports, including user reporting, device isolation guidance, app inventory review, and preservation of relevant mobile evidence.

Mitigation priorities

  • Maintain mobile device inventory and define which Android devices are allowed to access business resources.
  • Use mobile management controls to review, restrict, or alert on risky SMS-related permissions where feasible.
  • Educate users to report unexpected SMS links or prompts, especially where devices are used for business or identity workflows.
  • Reduce reliance on SMS for sensitive authentication or recovery processes where risk owners determine stronger alternatives are required.
  • Prepare IR procedures for mobile malware cases, including evidence collection, device remediation decisions, and review of affected accounts or services.
Analyst notes and limits

The supplied ATT&CK object identifies MazarBOT as Android malware distributed via SMS in Denmark in 2016 and links it to SMS message access and victim-generated traffic techniques. The most useful defensive takeaway is to validate mobile telemetry, SMS permission visibility, and response processes rather than over-focus on the named malware family.

ATT&CK provides no official detection guidance, no explicit tactics, no aliases, and no object-level platforms beyond the Android statement in the description. Local device management, telecom, and mobile security data are required to determine actual exposure or coverage. This summary does not assert current activity, attribution, impact, or guaranteed detectability.

Official MITRE ATT&CK definition

MazarBOT

MazarBOT is Android malware that was distributed via SMS in Denmark in 2016. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Mobile T1643 Generate Traffic from Victim

MazarBOT can send messages to premium-rate numbers.CitationTripwire-MazarBOT
Mobile T1636.004 SMS Messages Sub-technique

MazarBOT can intercept two-factor authentication codes sent by online banking apps.CitationTripwire-MazarBOT
Relationship explorer

All related ATT&CK context

uses · Technique T1643: Generate Traffic from Victim Mobile uses · Technique T1636.004: SMS Messages Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
53b05399b008d5ce...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 53b05399b008…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Tripwire-MazarBOT

    Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016.

    Open source URL
  2. [2]
    MazarBOT

    (Citation: Tripwire-MazarBOT)

  3. [3]
    mitre-attack S0303
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use