There’s a new series of malicious Android applications masquerading as a premium security app for the mobile platform, and researchers say that the malware is part of the Zeus empire.
The fake security apps began showing up in researchers’ malware traps in early June and newer versions have continued to pop up throughout the month. The file is called “Android Security Suite Premium ” and its main intent seems to be stealing incoming SMS messages and then sending them off to one of the attacker’s command-and-control servers. Depending upon what apps the victim’s phone has installed, those incoming messages could contain sensitive data such as password-reset links or other information.
Once the malicious app is installed and executed, it will show the user a fake activiation code.
“It is also important to mention that these malicious apps are able to receive commands for uninstalling themselves, stealing system information and enabling/disabling the malicious applications. Let’s be honest, such functionality (the ability to receive and execute commands and the ability to steal SMS messages) is not that new for mobile (Android) malware. But there was a feeling that there was something more behind these files,” Denis Maslennikov, a Kaspersky Lab security researcher, said in an analysis of the Android security threat.
The malware uses a series of six C&C servers, some of which are essentially blank slates in terms of available information. But one of them provided the link that showed researchers that the scam is part of the larger Zeus malware campaign. That server is registered in Russia, but with mostly fake data. However, some of that data led researchers to other files that they knew were Zeus-related.
“Yes, it’s fake data but if you continue to google for e.g. firstname.lastname@example.org you will find out that there are more domains which were registered back in 2011 using the same fake data. For example, favoritopi*****.com, akteriak*****.com, basepol*****.com or justdongwf3*****.info. All these domains were found in our ZeuS C&C database,” Maslennikov wrote.
Mobile versions of Zeus, also called ZitMo, or Zeus in the Mobile, have been around for a couple of years now, and attackers have been successful in disguising the malware in various ways. The new version for Android shows that the Zeus attackers are not slowing down in their efforts to continue to get their malware on users’ devices.