The year of 2013 was named as The Menace Year mainly because of the rampant CryptoLocker, a nefarious ransomware that encrypts user files and demands for a ransom to be paid in order to decrypt these files. And before CryptoLocker were the unfashionable scareware programs such as FakeAV, which used scare tactics in order to convince the user to purchase the full version of the software. It did not take long before this Windows-based experience was applied to the Android platform. In the middle of 2013, the first representative scareware named... [Read More]
by RSS Dong Xie  |  Jul 14, 2014  |  Filed in: Security Research
2014 marks the 10th anniversary of Cabir, the world's first mobile phone malware. To mark this occasion, Fortinet's FortiGuard Labs is taking a stroll down memory lane to examine the evolution and significance of mobile threats during the last 10 years. From Cabir to FakeDefend, the last decade has seen the number of mobile malware explode. In 2013, Fortinet's FortiGuard Labs has seen more than 1,300 new malicious applications per day and is currently tracking more than 300 Android malware families and more than 400,000 malicious Android... [Read More]
by RSS Michael Perna  |  Jan 21, 2014  |  Filed in: Industry Trends
By now, most are familiar with the concept of phishing , when an attacker baits a victim by sending out a persuasive social engineering message coupled with a malicious link or attachment. And even spear phishing , where the attacker similarly reels in an intended target, only with highly personal information available via social media and Internet searches. But SMShing? Perhaps not surprisingly, the same concept applies to SMS messages. As its name might suggest, SMShing is defined as the act of sending a fraudulent URL or phone number via SMS,... [Read More]
by RSS Stefanie Hoffman  |  Aug 14, 2013  |  Filed in:
Zitmo Attack Scenario - taken from my slides at ShmooCon, January 2011 Zitmo's attack scenario, taken from CheckPoint's and VerSafe's white paper (Dec 2012) Recently, Check Point and Versafe published a white paper on a mobile banking trojan they named Eurograbber. In fact, this is not new, it is called Zitmo, and s21sec, and Fortinet (and others !) have been talking about it for nearly two years. In January 2011, Kyle Yang and I presented full details of Zitmo at ShmooCon: the attack scenario, the syntax of commands, the processing of incoming... [Read More]
by RSS Axelle Apvrille  |  Dec 07, 2012  |  Filed in: Security Research
Feel free to browse through our Zitmo timeline. Please note that variant naming depends on many factors including but not limited to chronology. Hence variant letters (.A) don't always reflect the order of appearance in the wild. [Read More]
by RSS Karine de Ponteves  |  Nov 19, 2012  |  Filed in: Security Research
A new sample of Zitmo is out, pretending to be an Android Security Suite. Like others in Zitmo, the malware is a SMS spy: it forwards incoming SMS message to a remote server. This particular sample responds to a few basic SMS commands we have reversed. In the following video, we show one of these commands in action: a SMS whose body is "/" and followed by a phone number sets up a new phone number for the spy. Then, all future incoming SMS are also forwarded to that phone number. For more information, we have written a detailed description of... [Read More]
by RSS Axelle Apvrille  |  Jun 21, 2012  |  Filed in: Security Research
This is a short update to our prior post concerning Zitmo on Android. Is this really Zitmo? This fake Trusteer malware shows several differences with prior Symbian variants, but, for simplicity (and because it's easy to remember), we call it Zitmo. This does not mean this variant was written by the same authors (no proof on that account, one way or another) nor that it has exactly the same technical functionalities or even, depending on naming policies, the same name among AV vendors, but what we mean is that this sample was propagated by ZeuS... [Read More]
by RSS Axelle Apvrille  |  Jul 18, 2011  |  Filed in: Security Research
Zitmo has been used by the ZeuS gang to defeat SMS-based banking two-factor authentication on Symbian, BlackBerry and Windows Mobile for a several months (see my ShmooCon slides). Lately, there's been an active discussion on technical forums regarding ZeuS targetting Android users. We finally managed to get our hands on the mobile sample the ZeuS PC trojans are propagating. Actually, it is not a new sample and has been detected under several names (Android.Trojan.SmsSpy.B, Trojan-Spy.AndroidOS.Smser.a, Andr/SMSRep-B), but it is far more scary when... [Read More]
by RSS Axelle Apvrille  |  Jul 08, 2011  |  Filed in: Security Research
Zitmo is a mobile malware Fortinet has particularly been focusing on since the beginning (see our first blog post and my presentation at ShmooCon 2011) as it is one of the first palpable signs organized criminals show interest in infecting mobile phones. As you may know (see F-Secure and Kaspersky's blog posts), it is unfortunately back, with a new version. So, technically speaking, what's new? it now supports Windows Mobile phones too. Not only Symbian (there was rumors concerning a BlackBerry version - never confirmed). the default phone number... [Read More]
by RSS Axelle Apvrille  |  Feb 23, 2011  |  Filed in: Security Research
Tomorrow starts the quite famous - and ever sold-out - security conference Shmoocon, held in Washington DC until Sunday. The keynote this year will be filled by Peiter Mudge Zatko, inventor of L0phtcrack and early pioneer of buffer overflows. Among the talks filling the tri-tracks program (Build it / Break it / Bring it on), we're glad to find our Crypto Girl, Axelle, who will present a paper she co-wrote with Kyle Yang (another regular poster on this blog) on the infamous mobile phone malware Zitmo, that we discovered (simultaneously with Spanish... [Read More]
by RSS Guillaume Lovet  |  Jan 27, 2011  |  Filed in: Security Research