Zeus Banking Trojan Variant Attacks Android Smartphones


A variant of Zeus banking Trojan is now making the rounds on Google Android smartphones, researchers at Fortinet warned.

The malicious mobile application, a strain known as Zitmo, has been in circulation for several months. The malware works in conjunction with the Zeus banking Trojan to circumvent SMS-based banking two-factor authentication on Symbian, BlackBerry and Windows Mobile in attacks designed to monitor and steal users’ banking credentials from their mobile devices.

Now, however, Zeus authors have configured the Zitmo to target Android smartphones, according to Fortinet researchers, which has the potential of affecting millions of smartphone users.

As with simimlar attacks, Android smartphone users would likely install the Zitmo malware via some kind of social engineering scheme, designed to trick them into downloading the malicious application. “The ultimate goal would be for ZeuS to be able to trick the user into installing an application on their device that could be portrayed as a “security certificate” or other means to validate communication with the bank,” said Juniper researchers in a blog post .

In the latest version of the attack, the Zitmo malware poses as a version of Trusteer Rapport, a banking security tool, served to Google Android OS devices via a Web server designed to deliver Zeus malware over multiple platforms. In order to make the malware appear legitimate, the application uses a stolen Rapport icon and displays a simple authentication screen.

During an attack, the phony Rapport application intercepts all incoming SMS (text)-messages and forwards them to a remote malicious server using HTTP POST requests. The pilfered SMS messages are masked using a JSON encoding scheme. Once the attack is underway, the malware enables cyber criminals to have access to mobile transaction authentication numbers (mTANs), or one-time passwords that some banks -- mostly in European countries -- send via SMS message to mobile users as an additional two-factor authentication tool.

However, Vanja Svajcer principal virus researcher for SophosLabs, said that the Android attack was “not very sophisticated,” indicating that Zeus might not be powering the malware.

“That’s why we cannot be 100 percent sure that this is indeed part of the Zeus kit,” Svajcer said. “Nevertheless, this malicious Android application is interesting as it combines spyware functionality with the concept of fake security software. As we’ve seen recently in the Mac OS X world, fake anti-virus software is one of the most common themes adopted by malicious hackers in their attacks.”