Malware descriptions

ZeuS-in-the-Mobile for Android

The first version of ZeuS-in-the-Mobile (ZitMo), malware which targets mTANs, was discovered in the end of September 2010. In that case it was targeting Symbian smartphones. Later on, ZitMo versions for Windows Mobile and Blackberry were found. It comes as no surprise that cybercriminals have created new and sophisticated pieces of mobile malware for Symbian and Windows Mobile; more surprising is that Blackberry devices were also targeted; and even more surprising is that until July 2011 there was no evidence of ZitMo for Android’s existence. And now please ‘welcome’ ZeuS-in-the-Mobile for Android.

The first fact that must be mentioned is that ZitMo for Android differs from Symbian, Windows Mobile and Blackberry versions a lot. The functionality and logic of ZitMo for Symbian, Windows Mobile and Blackberry is the same: C&C cell phone number, SMS commands, and the ability to forward SMS messages from a particular number, as well as the ability to change C&C.

The functionality and logic of ZitMo for Android is far more primitive. The APK file itself has a 19k size. It passes itself off as a security tool from the ‘Trusteer’ company. If a user installs the malicious application then the following ‘Trusteer Rapport’ icon will appear in the main menu:

And that’s what going to be on the screen after clicking on the application’s link:

As I said previously, ZitMo for Android is very primitive. Its functionality consists only of the ability to upload all incoming SMS messages (with mTANs also) to a remote web server http://******rifty.com/security.jsp in the following format:

f0={SMS_sender_number}&b0={SMS_text}&pid={infected_device_ID}

The first attacks with ZeuS-in-the-Mobile for Android started probably in early June. But how does ZitMo for Android actually infect devices? Nothing has changed in this area.

We found one of the Win32 ZeuS configuration files which contains following ‘suggestion’:

If the user chooses ‘Android’ and clicks ‘Continue’ he will be redirected to the following page where he is asked to download the ‘security tool’:

If the user chooses any other option (‘iOS (iPhone)’, ‘BlackBerry’, ‘Symbian (Nokia)’ or ‘Other’) they will get… nothing!

In other words this particular attack was targeting only Android devices.

But besides the site http://*************.com/tr.apk cybercriminals have also uploaded ZitMo for Android to the Android Market. The application has already been removed but, as it was in previous cases of malware in the Android Market, there are mirroring websites which save the information about all the programs approved by Google. In the case of ZitMo for Android, the application was uploaded with the ‘TrustMobile’ name probably on the 18th of June.

So, now we have ZitMo targeting 4 platforms: Symbian, Windows Mobile, Blackberry and Android. As we wrote in our previous blog about ZeuS-in-the-Mobile ‘cybercriminals are still very far away from stopping their activities’.

ZeuS-in-the-Mobile for Android

Your email address will not be published.

 

Reports

Kimsuky’s GoldDragon cluster and its C2 operations

Kimsuky (also known as Thallium, Black Banshee and Velvet Chollima) is a prolific and active threat actor primarily targeting Korea-related entities. In early 2022, we observed this group was attacking the media and a think-tank in South Korea.

Andariel deploys DTrack and Maui ransomware

Earlier, the CISA published an alert related to a Stairwell report, “Maui Ransomware.” Our data should openly help solidify the attribution of the Maui ransomware incident to the Korean-speaking APT Andariel, also known as Silent Chollima and Stonefly.

Subscribe to our weekly e-mails

The hottest research right in your inbox