Updated on Wednesday, Sept. 29 at 1:37 p.m. EST
The unrelenting Zeus trojan has gone mobile.
According to experts at Fortinet and S21sec, the malware now is being leveraged to infect smartphones in a ploy to steal codes, sent through text message, that are used to authenticate online banking transactions.
The variant, branded "SymbOS/Zitmo.A!tr" by Fortinet, is designed to hijack text messages delivered by banks to their customers, said Derek Manky, project manager for cybersecurity and threat research at Fortinet. The SMS messages contain a transaction authentication number, or TAN, used by bank customers, particularly in Europe, as a second factor, in addition to the traditional username and password, to authorize financial transactions.
"It's very new and it's under analysis," Manky said of the trojan. "We can't say how many handsets have been affected, but it's definitely valid. It will install on the phone and will function and will forward stolen SMS messages to the attackers."
Some Symbian and BlackBerry devices were impacted, but the problem appears to have been fixed, at least for Symbian users. A spokesperson for Research in Motion, maker of the BlackBerry, did not respond to a request for comment.
"The command-and-control server used by the malware gang has been shut down, and the malicious application has been revoked in accordance with Symbian Signed procedure," Craig Heath, chief security technologist at Symbian," said in a statement. "As far as we are aware, no Symbian smartphone users have suffered losses due to this malware. However, Symbian recognizes that this is a valuable warning to the entire mobile industry as to the direction that criminal groups are taking in relation to mobile malware, and we are working on improvements to our processes to prevent similar abuse in future."
The so-called "man-in-the-mobile" attack has a number of steps.
First, the user's PC is infected with the Zeus trojan, which enables the criminals to retrieve his or her online banking username and password, according to S21Sec's David Barroso. Then, victims are sent a text message — the cybercrooks retrieve the mobile device number through a social networking ploy — that contains a malicious application, which, if installed, infects the phone.
The attacker logs in to the banking website and performs a transaction that requires the TAN. The bank automatically sends an SMS, containing the TAN, to the mobile device. The malware already present on the smartphone then forwards the text message to the attacker-controlled server. Now with the TAN at their disposal, the attackers can complete the transaction.
Manky said the ruse is notable because it enables criminals to evade added measures of authentication.
"Any security barriers that are put up, they're going to think of ways to rip them down," he said.