Zeus for Android steals one-time banking passwords

Share this article:
Researchers have discovered a new variant of the insidious Zeus trojan that is designed to run on Google Android smartphones, security researchers have warned.

The malicious program is a new version of Zitmo, a mobile trojan application first discovered last year that stands for “Zeus in the mobile,” Derek Manky, a senior security strategist at network security firm Fortinet's FortiGuard Labs, told SCMagazineUS.com on Tuesday.

It is designed to steal mobile transaction authentication numbers (mTANs), or one-time passwords that some banks, mostly in Europe, send via SMS message to mobile users as an additional layer of security.

The malware poses as a legitimate banking security application called Rapport, which is made by web security firm Trusteer. Once installed, the bogus app intercepts all incoming SMS messages and forwards them to a remote server.

Mickey Boodaei, CEO of Trusteer, told SCMagazineUS.com on Tuesday that Zitmo's masterminds leveraged his company's name to gain users' trust. The program spread for four to five days during late May and early June, but the servers supporting the operation were taken offline more than a month ago.

The Zitmo variant for Android worked in conjunction with Zeus version 2.1.0.10, Boodaei said. Once a user's PC was infected with Zeus, the malware tried to trick them into downloading Zitmo on their smartphone.

The Zitmo family of malware has also previously targeted Symbian, BlackBerry and Windows Mobile phones, Boodaei said.

Zitmo is the first malicious mobile application designed to work in combination with a Windows trojan, according to researchers at networking and security firm Juniper Networks.

It attempts to bypass banks' two-factor authentication by stealing mTANs in real-time, as they are being sent to a user, Manky said. Variants of Zeus can steal one-time passwords from an infected PC, but only after a user enters it into an online banking site during login.

“This is evidence that attackers are going after and trying to defeat those additional security barriers.”

– Derek Manky, senior security strategist at Fortinet's FortiGuard Labs

“[Attackers] know that banks are employing two-factor authentication,” Manky said. “This is evidence that attackers are going after and trying to defeat those additional security barriers.”

mTANs are currently used for authentication in mostly European countries, according to Juniper. Most banks, especially in the United States, are not currently using this form of authentication, meaning the threat here would be “irrelevant” to most users, Boodaei said.

It could, however, be dangerous from a data-leakage perspective, since Zitmo sends all SMS messages back to attackers, Manky said.

Going forward, attackers will likely develop more sophisticated banking trojans for the mobile platform, Boodaei predicted.

“We will start seeing malware that actually tries to tamper with your transactions through your mobile phone instead of just getting SMS messages,” he said.

Share this article:

Sign up to our newsletters

More in News

Latest Citadel trick allows RDP access after malware's removal

Latest Citadel trick allows RDP access after malware's ...

Trusteer, an IBM company, said the new Citadel configuration was detected this month.

Cryptoblocker variant emerges, encryption differs from CryptoLocker

Trend Micro has detected a variant of CryptoLocker in the wild that relies on the advanced encryption standard.

Jimmy John's sandwich chain investigating possible breach

Some financial institutions have indicated that credit cards recently used at Jimmy John's locations have been used to make fraudulent purchases.