ZeuS, also known as ZBot, is one of most well-known malware in the industry. The main purpose of this malware is to steal information, primarily banking credentials that are used to perform electronic fraud. Until 2010, ZeuS existed only for personal computers since this platform was (and still is) the principal medium to perform electronic transactions. However, due to the increasing popularity of mobile devices and that many companies are implementing new security measures for this kind of devices like sending via SMS mTANs (Mobile Transaction Authentication Number) as a second factor of authentication, in September of 2010 a new variant of ZeuS was discovered targeting mobile devices (Symbian, Blackberry and Windows Mobile) which basically will intercept SMS’s sent to the user by the bank and forward the captured mTANs to a remote server in order to defeat the SMS-based banking two-factor authentication.
According to Axelle Apvrille from Fortinet, “lately there’s been an active discussion on technical forums regarding ZeuS targeting Android users” and it seems that finally Fortinet, along with other security companies like F-Secure, s21sec and Kaspersky, discovered a ZeuS version for one of the most prevalent and popular operative systems for smartphones nowadays: Zitmo for Android. Apparently the sample “was served to devices running the Google Android OS by a web server which was configured to deliver Zbot malware to multiple platforms”. Let’s take a look to this application in order to figure out whether it’s related in some way to the ZeuS family. At a first sight, the malicious application will try to impersonate a security application, Rapport, which is aimed to “prevent Man-in-the-Browser malware and Man-in-the-Middle attacks”. In fact, the icon is very similar to the official logo of Trusteer:
But before the application is installed, Android will always show the permissions required by the application to be executed in the device. In this case, the permissions are RECEIVE_SMS, INTERNET and READ_PHONE_STATE that are not suspicious in this case because the application is doing a phishing attack to the user posing as a security application that must receive a SMS that is supposed to be a second factor of authentication. According to the Android Manifest found inside the original apk file, the application is composed of an Activity (that is going to be executed once the user does a double click in the fake icon), a service (which will run in the background without the user knowledge) and a class named “SmsReceiver” that will be executed every time that the user receives a SMS:
The activity activation will display a fake user interface acting as the security application Trusteer Rapport showing to the user an “activation key” that should be used on the bank website but in fact the number displayed is the IMEI (International Mobile Equipment Identity) separated by the character “-” (in this case the number displayed is 0 because the application was executed on an emulator):
Once the application is installed, the code inside SmsReciver will be executed every time that the user receives a SMS. In fact, this code will only pass the captured SMS to the service “MainService”. The service will start a thread to collect the originating address (sender) and the Message Body of each SMS and will store that information in a specific structure attribute/value pair that is commonly used to transfer data over the HTTP protocol:
Once the sender and the body of the message is collected, the IMEI of the device will be collected as well and all the information will be sent to a remote server using a JSON object using a POST request method:
The question is if this malware is the Zitmo version for Android. Taking into account the analysis done, probably the sample is only a SMS spyware because:
- In general, this malware is not sophisticated (compared with other Android malicious code seen in the wild like ADRD) because it will only intercept (and block) all the incoming SMS messages and it will forward them to a remote server that is present in clear text in the code of the application. Also the application does not use encryption for the communication with the remote server and it does not implement obfuscation in the code to difficult the analysis.
- There is no evidence that the intercepted messages are being filtered to target a specific bank or to search for a specific authentication code inside the message. In fact, all the messages will be forwarded to the remote server which will make more difficult (but possible using automation) the job for the Zeus gang because they need to correlate, in real time, the username and password of the user with the mTAN sent in the SMS.
- Unlike Zitmo, this malware does not implement C&C commands like “SET ADMIN” to change the device that is controlling the bots and it does not have a mechanism to change the URL that is collecting the SMS (in case that it is needed).
Although this application was found in one web server that was actively distributing ZeuS malware, with the actual evidence and the analyzed application, it is not possible to confirm this theory. More over the malware acts as a fake security software, a social engineering technique very common nowadays in malware for personal computers (a.k.a Fake Alerts). It is expected that more malware for Android will be developed to steal financial information and defeat banking authentication. McAfee products detect this malware in our latest DATs as Android/SpySMS.
Leave a reply