There are two new versions of the Zeus malware making the rounds right now, both of which target popular mobile phone platforms. One of the variants targets Windows Mobile devices, while the other is going after the Symbian platform, and both are intent on silently stealing data from infected devices.
The new mobile Zeus variants surfaced within the last couple of days and are similar to an older mobile version of the venerable malware. The first Zeus mobile variant appeared in September of last year and aimed to trick users into downloading the malware through a warning about the need for a “certificate update.”
Once installed on a mobile device, the older version would get a message asking them to enter their phone number and phone model so they could get their specific update. The malware would then install a component that then intercepts SMS messages on the infected device and sends them to a remote mobile number.
“The new version of the Symbian ZeuS trojan (detected as
Trojan-Spy.SymbOS.Zbot.b) is similar to the previous one: same commands
and same functionality. The Windows Mobile version of the ZeuS trojan
(detected as Trojan-Spy.WinCE.Zbot.a) has the same functionality and
even the same commands. For example, both versions will report to the
same C&C cell phone number (British) after a successful infection,” Denis Maslennikov, a malware researcher at Kaspersky Lab, wrote in an analysis of the new Zeus variants.
Smartphones are now near the top of the list for attackers looking for the path of least resistance to gathering sensitive user or corporate data. Mobile malware has not really emerged as the major threat that has been predicted since roughly 1999, but malicious smartphone apps and other threats have surfaced to take up the slack.
“The first ZeuS in the Mobile attack showed us that cybercriminals
continue to extend their activities into new platforms and target new
areas (mTANs in this case). The second Zeus in the Mobile attack proved
that cybercriminals are still very far away from stopping their
activities. The newly targeted platform only confirms this fact.”