Researchers have found several samples of a new version of the mobile version of the Zeus malware, with these newest ones targeting the BlackBerry platform. BlackBerry has not been a common target for attackers, despite the high-value user base of corporate executives and government officials, but that may be changing now with this new version of Zitmo targeting RIM’s devices.
Zitmo (Zeus in the mobile) is the name given to the mobile versions of Zeus, and it’s been around for a couple of years already, mostly infecting Android phones. In the past, Zitmo variants have masqueraded as banking security applications or security add-ons. In the case of the new version targeting BlackBerrys, the app shows up on an infected phone as “Zertifikat”. When the victim runs the app, it displays a message in German telling her that the installation was successful and showing an activation code for the app.
There also is a new version of Zitmo for Android making the rounds, and, like the new BlackBerry variant, it is targeting users in a handful of European countries: Spain, Germany and Italy. Zitmo, like its older brother, Zeus, is designed mainly to steal online banking credentials from users. The original versions of Zitmo did this by monitoring incoming SMS messages and picking off the ones that come from a bank and then sending those off to the command-and-control device controlled by the attacker.
That attack is designed to circumvent the out-of-band authentication systems used by some banks, particularly in Europe, that involve the bank sending the user a one-time password via SMS. The more recent variants of Zitmo aren’t that picky. They just gobble up all of the incoming SMS messages and push them out to the C&C, according to an analysis of the new Zitmo variants by Denis Maslennikov, a researcher at Kaspersky Lab. The two C&C numbers being used in the latest attack both are located in Sweden.
“As you may know, the Blackberry platform has never been actively targeted by malware. And here we have 4 different samples of ZeuS-in-the-Mobile for Blackberry at once: 3 .cod files and 1 .jar file (with one more .cod inside). Yes, finally we’ve got a ZitMo dropper file for Blackberry,” Maslennikov said.
“The analysis of new Blackberry ZitMo files showed that there are no major changes. Virus writers finally fixed grammar mistake in the ‘App Instaled OK’ phrase, which is sent via SMS to C&C cell phone number when smartphone has been infected. Instead of ‘BLOCK ON’ or ‘BLOCK OFF’ commands (blocking or unblocking all incoming and outgoing calls) now there are ‘BLOCK’ and ‘UNBLOCK’ commands. Other commands which are received via SMS remain the same.”
In an interview at the recent Black hat conference, Adrian Stone, director of security response at BlackBerry maker RIM, said that while BlackBerry hasn’t been a huge target for malware yet, the company isn’t taking that for granted.
“When you look at our customer base, it’s not only enormous, but it’s also high-value. You start at the White House and work your way down. We start with the code and work our way up from there. The end-to-end security premise of BlackBerry is real. We always have to be vigilant. We look at things from everywhere,” Stone said.
Financially motivated attackers have been focusing a good bit of their attention on mobile devices in the last couple of years, especially as users have begun to migrate more and more of their daily computing tasks to mobile devices. Online banking via mobile apps is a prime target for these crews and one of the more effective ways of avoiding this kind of attack is to only install apps from the official app store for your mobile platform. Attackers often place their malicious or Trojaned apps in alternative app stores, or will even rely on desktops that are infected with Zeus or similar banking Trojans to prompt users to download a mobile “security tool” or something similar.
