A new variant of Zitmo, the Zeus Trojan spyware application that steals people's financial data, has been detected. It is designed to infect Android smartphones and has been defeating the SMS-based banking two factor authentication on Symbian, BlackBerry and Windows mobile platforms for several months, researchers from Fortinet have discovered.
According to Axelle Apvrille, a senior antivirus analyst and researcher for Fortinet, the Zitmo malaware poses as a banking activation application and listens to all incoming SMS messages in the background and forwards them to a remote web server.
The two factor authentication system used by banks SMS, requires the customer to enter both their password and a 'Transaction Authentication Number' (TAN) - which is sent to their mobile device via SMS - in order to complete a transaction. This is considered to be more secure as it is deemed unlikely that criminals would be able both to steal passwords and have access to the user's mobile device. However, the Android variant of Zitmo beats this system. Zitmo intercepts these passwords and can create and verify fraudulent money transfers.
Zitmo has been used by the ZeuS gang to defeat SMS-based banking two-factor authentication on Symbian, BlackBerry and Windows Mobile for a several months, said Aprvrille.
According to InformationWeek, the attack is ingenuous because the malicious smartphone application often gets pushed by malware after it's infected a PC, but not until the user visits a banking website. At that point, the malware kicks in and asks the user to download an authentication or security component onto their mobile device in order to complete the login process, said Trusteer CEO Mickey Boodaei. The user wrongly assumes this message comes from the bank while in reality it comes from the malware. Once the user installs the malware on the mobile device the fraudsters control both the user's PC and the user's phone.
Zitmo used for Symbian, BlackBerry and Windows Mobile is quite different from the Zitmo version used in Androids. Denis Maslennikov, senior malware researcher at Kaspersky Lab, said, The functionality and logic of Zitmo for Symbian, Windows Mobile and BlackBerry is the same, including the command and control phone number, SMS commands and the ability to forward SMS messages from a particular number, as well as the ability to change the command and control centre.
The functionality and logic of ZitMo for Android is far more primitive. The APK file itself has a 19k size. It passes itself off as a security tool from Trusteer. If a user installs the malicious application then the 'Trusteer Rapport' icon will appear in the main menu and that is what is going to be on the screen after clicking on the application's link.
Acording to Eddy Willems, G Data security evangelist, the current variant of Zitmo is an indicator of Android coming increasingly under attack due to its popularity.
Boodaei said: Android's security architecture is not currently up to the challenge. This is reflected mainly in the ease of generating powerful fraudulent applications and the ease of distributing these applications. Users installing these applications do get a message with a list of resources the app is requesting access to, but would usually ignore it, as many applications request access to an extensive list of resources.
Maslennikov believes that the first attacks of Zitmo for Androids began in June.