The Android SMSSpy, or Zitmo, was found in a fake Android application appearing to be from Trusteer, a security firm which ironically does not have an Android security solution. Zitmo, an acronym for Zeus in the Mobile, has now been written to run on the Android system, expanding the platform past Windows Mobile, Symbian and Blackberry operating systems.
At its core, Zitmo operates as a man-in-the-middle attack by intercepting two-factor authentication that banks use to validate the identity of the account holder when entering login credentials, typically with a one-time password that is sent to a mobile device via SMS. During the attack, the malware essentially lifts SMS texts containing bank account passwords and other sensitive information sent to the user, which are then promptly funneled to a remote server. Even if a particular bank doesn’t require two-factor authentication, Zitmo can forward and spy on all SMS messages, making it a valid threat.
(Image provided by Webroot)