A piece of malware written for Android has been making its way around the underground Russian hacking networks for months, but it has just recently surfaced to Android security specialists. The interesting feature of the program: if it detects that the device is located in Russia, it stops installing itself.

Named MazarBOT, the program can take full control of an Android device and it appears to be targeted toward online banking customers, according to Peter Kruse, founder of Danish cybersecurity firm CSIS Security Group. In a post on CSIS’ website this week, Kruse discussed that CSIS was tipped off about the Android package after seeing unusual messaging activity to random phone numbers in Denmark. The messages contained a link to the malware installer.

“Until now, MazarBOT has been advertised for sale on several websites on the Dark Web, but this is the first time we’ve seen this code to be deployed in active attacks,”

Keeping MazarBOT Quiet

Security analysts aren’t surprised by the MazarBOT’s location test. Most think that it’s a preventative measure by the program’s creators to keep from drawing attention from the Russian authorities.

Kruse notes that MazarBOT will likely be successful in bypassing most online banking security measures, allowing the program to view user’s passwords and read two-factor authentication codes sent by SMS.