Zeus Banking Trojan Hits Android Phones - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile

Zeus Banking Trojan Hits Android Phones

Zeus crimeware creators adapt Zitmo malware, disguised as a banking activation application, to steal financial details from Android users.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
The Trojan spyware application known as Zitmo, which is designed to steal people's financial data, has now been altered to target devices running the Android mobile operating system.

"The malware poses as a banking activation application," said Axelle Apvrille, a senior antivirus analyst and researcher for Fortinet, in a blog post. "In the background, it listens to all incoming SMS messages and forwards them to a remote web server."

That's a security risk, as some banks now send mTANs--mobile transaction authentication numbers, which is banking-speak for one-time passwords for authenticating transactions--via SMS. By intercepting these passwords, the Zeus-botnet-using criminal gang behind Zitmo can not only create fraudulent money transfers, but verify them.

While Zitmo isn't new, this Android variant is. "Zitmo has been used by the ZeuS gang to defeat SMS-based banking two-factor authentication on Symbian, BlackBerry and Windows Mobile for a several months," said Aprvrille.

The attack is ingenuous because the malicious smartphone application often gets pushed by malware after it's infected a PC, but not until the user visits a banking website. At that point, "the malware kicks in and asks the user to download an authentication or security component onto their mobile device in order to complete the login process," said Trusteer CEO Mickey Boodaei in a blog post. "The user wrongly assumes this message comes from the bank while in reality it comes from the malware. Once the user installs the malware on the mobile device the fraudsters control both the user's PC and the user's phone."

To help block malware attacks against their customers, new guidelines from the Federal Financial Institutions Examinations Council (FFIEC) recommend that banks consider out-of-band authentication, such as mTANs. But as Zitmo illustrates, however banking regulators revise the guidelines, attackers often find techniques for defeating the new security measures.

Boodaei said that the current threat from smartphone-seeking malware is relatively small, especially because many banks don't use mTANs, and because few people bank using smartphones. But if mobile banking does take off, beware, since the Android security architecture won't be able to stop those types of attacks, given the ease with which users can be tricked, via social engineering attacks, into installing third-party applications.

But he said another worry is that--as with Windows PCs today--attackers will find zero-day vulnerabilities in mobile devices that let them install malicious applications on the fly. That would most likely be accomplished by a prevalent fraudster technique, which is to compromise a website, then install an exploit kit, which uses known or zero-day vulnerabilities to infect all computers that visit the website, with malware.

Android wouldn't be the only operating system at risk from such automated exploits. Notably, the zero-day PDF vulnerability currently affecting the iPhone, iPad, and other iOS devices could be used to not only jailbreak a device, but also install malicious applications.

In the new, all-digital Dark Reading supplement: What industry can teach government about IT innovation and efficiency. Also in this issue: Federal agencies have to shift from annual IT security assessments to continuous monitoring of their risks. Download it now. (Free registration required.)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
News
The State of Chatbots: Pandemic Edition
Jessica Davis, Senior Editor, Enterprise Apps,  9/10/2020
Commentary
Deloitte on Cloud, the Edge, and Enterprise Expectations
Joao-Pierre S. Ruth, Senior Writer,  9/14/2020
Slideshows
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
White Papers
Register for InformationWeek Newsletters
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Video
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
Slideshows
Flash Poll