High Performance Network Security, Enterprise and Data-Center Firewall

High Performance Network Security, Enterprise and Data-Center Firewall

Zitmo hits Android

by RSS Axelle Apvrille  |  July 08, 2011  |  Category: Security Research

Zitmo has been used by the ZeuS gang to defeat SMS-based banking two-factor authentication on Symbian, BlackBerry and Windows Mobile for a several months (see my ShmooCon slides).

Lately, there's been an active discussion on technical forums regarding ZeuS targetting Android users. We finally managed to get our hands on the mobile sample the ZeuS PC trojans are propagating. Actually, it is not a new sample and has been detected under several names (Android.Trojan.SmsSpy.B, Trojan-Spy.AndroidOS.Smser.a, Andr/SMSRep-B), but it is far more scary when propagated by the ZeuS gang.

The malware poses as a banking activation application:

Zitmo trojan spyware for Android

In the background, it listens to all incoming SMS messages and forwards them to a remote web server. It's simple, but just enough for the ZeuS gang to grab your banking mTANs...

Wireshark capture of Zitmo forwarding an incoming SMS (on the infected phone) to a remote web server

We'll keep you posted on this one.

-- the Crypto Girl

PS. F-Secure, s21sec and Kaspersky contributed to finding this sample. Thanks for their cooperation.

by RSS Axelle Apvrille  |  July 08, 2011  |  Category: Security Research
comments powered by Disqus

FortiGuard Labs on the Web

search results hidden links