Spitmo gets on Android: mini-FAQ
Yes, you have probably heard the news: a new variant of Spitmo - Zitmo/ZeuS’s counterpart for SpyEye, which previously targeted Symbian phones only - has recently been spotted on Android. The scenario is the same as before: a victim, browsing on a PC infected with SpyEye, logs in her bank’s website. SpyEye injects forms and elements directly into the webpages she is viewing, so as to lure her into installing a fake security application on her phone, thinking it’s required by the bank. That application actually intercepts SMS messages - especially those carrying authentication codes.
If you are not familiar with Spitmo yet, it’s probably better you go and read Trusteer’s analysis first, as this post is focusing on a few details.
* How was the malware signed? It was signed using a test key publicly available from the CyanogenMod github repository. At least two other malware, Android/Netisend and_ Android/Pjapps_ use exactly the same certificate.
* Does it intercept all SMS? Like in Zitmo, Spitmo is capable of focusing only on some particular SMS messages it is interested in, for example those coming from your bank ;) This feature corresponds to a special entry in the malware’s XML configuration file: tels. Analysis I read don’t talk about this tag, but tels is designed to contain a list of originating phone numbers for which the malware should intercept SMS. The field is parsed by the code and each number is added to an array of numbers. If there are none (default situation), all SMS messages are intercepted.
* Intercepted SMS messages are sent via SMS or HTTP, huh? It’s the general idea, but more precisely the possibilities are:
* 1: send via HTTP only * 2: send via HTTP then via SMS * otherwise: send via SMS only
Most analysis say “2” is for SMS but it also sends via HTTP, and forget to mention the third case. Not that it matters very much, but let’s just put it straight.
* Was the malware used for real? It’s always difficult to be sure, but my guess would be this is just an initial test. Indeed, the malware’s configuration file sets the phone number to send intercepted SMS to 123 (which obviously isn’t a real phone number). As there doesn’t seem to be any update mechanism for the malware yet, malware authors have no way to modify this default configuration. They probably intend to in future versions.
* Which countries are involved or targeted? The malware is downloadable from a Spanish web server, the SpyEye drop zones were registered by someone in Poland, the code contains localized strings for Russia… As usual, cybercriminals are cautious to cover their tracks! Any of these countries could be concerned … or other countries! We have no better clue for now.
– the Crypto Girl