Malware descriptions

ZeuS-in-the-Mobile for Android

The first version of ZeuS-in-the-Mobile (ZitMo), malware which targets mTANs, was discovered in the end of September 2010. In that case it was targeting Symbian smartphones. Later on, ZitMo versions for Windows Mobile and Blackberry were found. It comes as no surprise that cybercriminals have created new and sophisticated pieces of mobile malware for Symbian and Windows Mobile; more surprising is that Blackberry devices were also targeted; and even more surprising is that until July 2011 there was no evidence of ZitMo for Android’s existence. And now please ‘welcome’ ZeuS-in-the-Mobile for Android.

The first fact that must be mentioned is that ZitMo for Android differs from Symbian, Windows Mobile and Blackberry versions a lot. The functionality and logic of ZitMo for Symbian, Windows Mobile and Blackberry is the same: C&C cell phone number, SMS commands, and the ability to forward SMS messages from a particular number, as well as the ability to change C&C.

The functionality and logic of ZitMo for Android is far more primitive. The APK file itself has a 19k size. It passes itself off as a security tool from the ‘Trusteer’ company. If a user installs the malicious application then the following ‘Trusteer Rapport’ icon will appear in the main menu:

And that’s what going to be on the screen after clicking on the application’s link:

As I said previously, ZitMo for Android is very primitive. Its functionality consists only of the ability to upload all incoming SMS messages (with mTANs also) to a remote web server http://****** in the following format:


The first attacks with ZeuS-in-the-Mobile for Android started probably in early June. But how does ZitMo for Android actually infect devices? Nothing has changed in this area.

We found one of the Win32 ZeuS configuration files which contains following ‘suggestion’:

If the user chooses ‘Android’ and clicks ‘Continue’ he will be redirected to the following page where he is asked to download the ‘security tool’:

If the user chooses any other option (‘iOS (iPhone)’, ‘BlackBerry’, ‘Symbian (Nokia)’ or ‘Other’) they will get… nothing!

In other words this particular attack was targeting only Android devices.

But besides the site http://*************.com/tr.apk cybercriminals have also uploaded ZitMo for Android to the Android Market. The application has already been removed but, as it was in previous cases of malware in the Android Market, there are mirroring websites which save the information about all the programs approved by Google. In the case of ZitMo for Android, the application was uploaded with the ‘TrustMobile’ name probably on the 18th of June.

So, now we have ZitMo targeting 4 platforms: Symbian, Windows Mobile, Blackberry and Android. As we wrote in our previous blog about ZeuS-in-the-Mobile ‘cybercriminals are still very far away from stopping their activities’.

ZeuS-in-the-Mobile for Android

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox