Zitmo has been used by the ZeuS gang to defeat SMS-based banking two-factor authentication on Symbian, BlackBerry and Windows Mobile for a several months (see my ShmooCon slides).

Lately, there’s been an active discussion on technical forums regarding ZeuS targetting Android users. We finally managed to get our hands on the mobile sample the ZeuS PC trojans are propagating.
Actually, it is not a new sample and has been detected under several names (Android.Trojan.SmsSpy.B, Trojan-Spy.AndroidOS.Smser.a, Andr/SMSRep-B), but it is far more scary when propagated by the ZeuS gang.

The malware poses as a banking activation application:

Zitmo trojan spyware for Android

In the background, it listens to all incoming SMS messages and forwards them to a remote web server. It’s simple, but just enough for the ZeuS gang to grab your banking mTANs…

Wireshark capture of Zitmo forwarding an incoming SMS (on the infected phone) to a remote web server

We’ll keep you posted on this one.

– the Crypto Girl

PS. F-Secure, s21sec and Kaspersky contributed to finding this sample. Thanks for their cooperation.

If smart phones were human, we would most probably compare them to assistants – you know, those organized persons we rely on to cope with our own lack of memory and who will remind us of any important meeting and never lose any valuable phone number.

Others would perhaps compare them to close friends to whom one can tell secrets (your bank PIN ?) or with whom one shares a few holiday or family pictures.

It looks like few of us consider the betrayal of such a close friend, turning him/her into our worst enemy. Yet, this is exactly what mobile phone spyware represent: they can intercept our phone calls, SMS or MMS messages, locate us geographically, listen to our surroundings, take pictures, download contacts, log activity, etc. True, most of us do not have much to hide, but nevertheless we would just plainly hate to be spied. Men once stood up for human rights. As a reminder, the Universal Declaration of Human Rights, article 12, states: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

Unfortunately, we, at Fortinet, have noticed an increase in new mobile phone spyware these last few months. Since March 2009, we have added detection for 9 new families, being the first ones to do so among other vendors for at least five (iPhoneOS/Trapsms, Spy/MobileSpy!iPhoneOS, Spy/CallMagic!SymbOS, Spy/Spyiolan!SymbOS, Spy/PhotoSpy!SymbOS). Mobile phone spyware now represent 10 percent of mobile phone malware for Symbian, WinCE and iPhones. And there are more to come. For instance, we even know of development suites dedicated to creating mobile phone spyware.

Nearly all mobile phone spyware are commercial with products shipping from tens to over thousands of dollars. They advertise on markets such as parental control, cheating spouses, employee monitoring or video surveillance. Whether those products are legal or not is actually not the point of this blog entry. The *fact* is that nowadays those spyware can be found on warez / underground forums, and hence end up (sometimes for free) in the wrong hands of malware authors or other cyber-criminals. The other fact is that we now spot samples in the wild, sent by SMS or MMS.

So, the risk is growing, that’s for sure. Keep an eye on your phone, and make sure it’s not betraying you.

There are days where I wonder if people really care about privacy (except for these people). Most people don’t see any problem in telling the entire world what they’re doing (Twitter), who they know or see (Facebook) or where they are: the kind of stuff teenagers hate to tell their parents.

Mobile phones are just the perfect platform for spying because they are portable (iPhones are such beauties one hates to leave them behind!) and seen as private devices (would you share your nice iPhone, huh?). Depending on functionalities, mobile spyware record and forward incoming and outgoing SMS, MMS, voice calls, geographic location etc.

Recently, I finally laid my hands on an iPhone spyware sample. Actually, it has probably been out for a while, but I was surprised to discover nobody seemed to detect it yet. The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware’s repository and then install the two spyware packages:

SmsTrapUI: a user interface package to assist the spy into installing the spyware. Once the spyware is configured, the spy can erase this package:

Std: the spyware daemon. It installs in /usr/sbin and does not display any new icon on the iPhone’s springboard. This daemon collects information on SMS (phone number, text, timestamp and incoming/outgoing indicator) and sends it to a SQL database of the spyware’s website.

Okay, so the spyware installs and works. As an antivirus analyst, my next task then consisted in getting original samples onto my work host (the host where I work out detections for malware). I could have connected onto the iPhone via SSH iPhone Tunnel Suite, but then I would have had to parse all directories the packages had installed files into, and retrieve them. I settled for a simpler solution: Cydia uses Debian-style repositories, so I directly downloaded the samples from there. Debian-style repositories typically include two files:

Release and Packages (or Packages.bz2). So, I first downloaded Release:
$ wget http://xxxxx/x/Release
$ cat Release
Origin: ST
Label: ST
Suite: stable
Version: 1.0
Codename: st
Architectures: iphoneos-arm
Components: main
Description: ST Main repository
248bf63c4e179ef82d4fe4ba86a42c03 547 main/binary-iphoneos-arm/Packages
3b6d6f28d5346f9d911a067fccb64f5f 335 main/binary-iphoneos-arm/Packages.bz2

The Release file mentions both Packages and Packages.bz2 exist, so I then downloaded Packages:
$ wget http://xxxxx/x/Packages
$ cat Packages
MD5Sum: 762bf733c5a9b03b787c23ffc64d63a7
Maintainer: ST Team
Description: ST Daemon.
Package: com.st.std
Section: Utilities
Author: ST Team
Filename: ./std-1.1-1_iphoneos-arm.deb
Version: 1.1-1
Architecture: iphoneos-arm
Size: 11634
Name: STD

MD5Sum: bed10acddc436a5dfdb77a35dc6e74ad
Maintainer: ST Team
Description: SmsTrap User Interface
Package: com.st.SmsTrapUI
Section: Utilities
Author: ST Team
Filename: ./SmsTrapUI-1.1-1_iphoneos-arm.deb
Depends: com.st.std, quickload
Version: 1.1-1
Architecture: iphoneos-arm
Size: 26184
Name: SmsTrap

The Packages file provides the name of the 2 packages:
$ wget http://xxxxx/x/SmsTrapUI-1.1-1_iphoneos-arm.deb
$ wget http://xxxxx/x/std-1.1-1_iphoneos-arm.deb

I can now unpack the .deb packages, and detect the relevant parts of the spyware.