A new strain of mobile malware distributed by the Zeus banking botnet is now seeking smartphones with a mission to intercept confirmation SMS messages from financial institutions and compromise online bank accounts.
The multi-faceted attack, known as Zeus Mitmo (man-in-the-mobile attack), is propelled by the mega Zeus botnet, notorious for distributing banking Trojans and malware.
Altogether, the attack is executed by first compromising the user's desktop, and then by obtaining online bank account information and smartphone information in order to intercept mobile banking transactions and steal financial data.
'What's interesting with this mobile malware variant is that no user interaction is required at all. It sits on the phone, scanning incoming authentication code and sends it to the attack," said Derek Manky, project manager for security threat and research at Fortinet.
Prior to the mobile attack, the Zeus botnet first launches regular phishing attacks against users' desktops, enticing them to open a malicious Website or attachment via some kind of social engineering scheme. Users who click on the links or files will automatically download a Trojan that captures their online credentials when they log into a banking site.
The multi-pronged attack then launches another phishing ploy that tricks users into disclosing their smartphone number and model. Once that's obtained, the phone then sends an SMS, or text message, with an embedded malicious link that downloads the appropriate Trojan for either a Symbian or Blackberry phone.
The malware then scans all SMS communications for anything that resembles a banking transaction or communication, while installing a backdoor to silently receive instructions from a command and control center. It also creates its own malicious database on the phone, where it stores all the captured financial information.
What distinguishes this strain of malware, security experts say, is that it's specifically designed to circumvent the SMS-based two-factor authentication implemented by most banks to secure financial transactions and communications when they confirm transfers of funds on mobile platforms.
Manky said that the Zeus Mitmo attack resembled similar banking attacks on desktops, adding that its proliferation indicated that mobile banking was a lucrative enough target to warrant the kind of widespread exploitation that could be achieved with a botnet.
"It's moving past the tip of the iceberg," he said. "With Zeus, because it’s a crimeware kit, the potential for this to start spreading is a lot higher. Multiple people could pick this up. It's precisely the problem we see with botnets on computers. (Hackers) don’t' have to be an expert. This is stepping stone for them."
The new strain of malware comes as mobile applications have experienced exponential growth over the last year, due, in part, to the preponderance of consumer devices used in the workplace such as the iPhone and iPad.
While hackers previously have been slower to launch sophisticated attacks against smartphones, Manky said that it was only a matter of time before they started seeing a seismic increase of mobile platform malware as more users increasingly relied on smartphones for day-to-day functions.
"I'm not very surprised by it. It's inevitable," Manky said. "It's more of a natural target now. More and more people are using smartphones, more and more of these people will have data plans to download these applications. There are more and more connectivity, and (mobile platforms) are larger targets because of that."
