Eurograbber is Zitmo
Recently, Check Point and Versafe published a white paper on a mobile banking trojan they named Eurograbber. In fact, this is not new, it is called Zitmo, and s21sec, and Fortinet (and others !) have been talking about it for nearly two years.
In January 2011, Kyle Yang and I presented full details of Zitmo at ShmooCon: the attack scenario, the syntax of commands, the processing of incoming SMS, the relationship with SMS Monitor. We even showed hidden debug windows left by the attackers and explained how to spoof the attacker. Why isn’t our work and our peers even mentioned? Scientific papers provide references and state of the art sections, and this only seems fair to me. So much for the ethics side.
On the technical side, a few issues should also be noted:
* CheckPoint and VerSafe obviously had access to some C&C - which is interesting. Unfortunately, they don’t explain how. We assume the figures of 36 million stolen euros and 30,000 victims come from there. However, it should be noted that some researchers said the screenshots in the whitepaper were actually account balances and not stolen money. Let’s wait and see who’s right on that point, and let’s just keep in mind the figures might be wrong.
* Contrary to what is said in the report, Zitmo’s attack scenario does not require the victim to log into his/her bank account. Perhaps it occurred that way, but it is not required. At ShmooCon, we explained that, once infected, the whole process could occur while the victim was sleeping…
* Curiously,** all so-called “Eurograbber” samples we analyzed were already detected, except two new Symbian samples, which we are now detecting as SymbOS/Zitmo.C!tr.spy.** That variant is a simplified version of version A or B, and it has the particularity of using Qt for Symbian, and sending by SMS the GPS coordinates of a street in France, close to Orléans(no clue why so far). We hadn’t seen new versions on Symbian for a while, this is interesting.
Finally, the most interesting point is certainly that this study is the proof Zitmo is being used actively in the wild. So go check your bank accounts now ;)
– the Crypto Girl
* D. Barroso, ZeuS Mitmo: Man-in-the-mobile, September 25, 2010.
* A. Apvrille, ZeuS in the Mobile (Zitmo): online banking’s two factor authentication defeated, September 27, 2010
* A. Apvrille, Zitmo follow up: from spyware to malware, September 28, 2010
* A. Apvrille, K. Yang, Defeating mTANs for profit, ShmooCon 2011, Washington DC, USA, January 28-30 2011
* Piotr Konieczny, ZeuS straszy polskie banki (ING i mBank), February 21, 2011
* S. Sullivan, Zeus Mitmo Strikes Again: Polish ING Bank, February 21, 2011
* A. Apvrille, What’s New in Zitmo.B, February 23, 2011
* D. Masslenikov, ZeuS in the Mobile: Facts and Theories, October 6, 2011
* A. Apvrille, K. Yang, Defeating mTANs for Profit - part one and part two, Virus Bulletin, March-April 2011
* A. Apvrille, Zitmo hits Android, July 8, 2011
* M. Boodaei, Mobile Malware: Why Fraudsters Are Two Steps Ahead, July 11, 2011
* D. Masslenikov, Zeus-in-the-Mobile for Android, July 12, 2011
* C. Castillo, Spitmo vs Zitmo: Banking Trojans Target Android, September 14, 2011
* D. Desai, Malware Analysis Report Trojan: AndroidOS/Zitmo, September 2011
* D. Masslenikov, Android Security Suite Premium = New ZitMo, June 18, 2012
* A. Apvrille, Controlling Android/Zitmo by SMS commands, June 21, 2012
* D. Masslenikov, New ZitMo for Android and BlackBerry, August 7, 2012
* T. Strazzere, Android Zitmo Analysis: Now you see me, now you don’t, August 13, 2012
* K. de Pontevès, Zitmo timeline, November 19, 2012
* … I am stopping here. I hope I made the point Zitmo is not new ;)