The Zeus banking Trojan has jumped the bridge to the large and growing ecosystem of mobile devices powered by Google’s Android operating system, according to security researchers at Fortinet.
Researchers say they have obtained a Zeus variant, dubbed “Zitmo,” that can run on Android phones and that has the ability to intercept one time pass codes sent to mobile phones as an added, “two factor” security measure.
The new Android variants are just the latest evidence that malware authors are expanding their operations to mobile devices. Earlier Zeus variants that run on Nokia Symbian, RIM Blackberry and Microsoft Windows Mobile devices were identified in February. The post, by Fortinet researcher Axelle Aprville, claims that Fortinet researchers have observed conversations relating to Zeus for Android, but were finally able to obtain and test a sample. The malware they obtained looks much like known Android malware variants. It masquerades as a banking security application by the firm Trusteer. The malware is intended to thwart online banking security systems that rely on so-called out-of-band (OOB) authentication: sending pass codes to pre-registered cell phones that are required to start an online banking session.
According to Trusteer CEO Mickey Boodaei, the new Zeus trojan for Android defeats that system, using a man int he middle attack by marrying PC-based Zeus infections with a mobile component.
A user whose PC is infected and who tries to access a bank Web site triggers the Zeus malware, which “asks the user to download an authentication or security component onto their mobile device in order to complete the login process.” That security component, disguised as Trusteer’s Rapport product, but actually the Zeus mobile variant, gives fraudsters control of both the user’s PC and the user’s phone. At that point, the Zeus malware can generates a fraudulent transaction on behalf of the user and authenticate it by intercepting the SMS verification message on the phone and forwarding it to the malware on the PC. The mobile Zeus variant then deletes the confirmation message from the user’s mobile device so the user will not see it and enters the code on the PC to complete the transaction.
The combination of mobile and PC based malware in recent months marks an evolution on the part of fraudsters, experts agree. While social engineering is used to spread the Zeus Android variant, Boodaei notes that the mobile application ecosystems operated by Google, Apple and others are an Achilles heel. As Boodaei points out: both companies make it difficult to report rogue applications and get them removed. That may allow mobile malware to proliferate longer on those marketplaces.
Boodaei warns that threats to mobile devices could grow once exploits for common mobile platforms like iOS and Android become a standard component of the kinds of exploit kits that power most Web based attacks today.