This is a short update to our prior post concerning Zitmo on Android.
Is this really Zitmo?
This fake Trusteer malware shows several differences with prior Symbian variants, but, for simplicity (and because it’s easy to remember), we call it Zitmo.
This does not mean this variant was written by the same authors (no proof on that account, one way or another)
nor that it has exactly the same technical functionalities or even, depending on naming policies, the same name among AV vendors, but what we mean is that this sample was propagated by ZeuS PC trojans – which is all that matters from an end-user perspective…
Denis Maslennikov proves it in his blog post where he shows Win32 ZeuS configuration files with modified Trusteer web pages. This is confirmed by our own research too: we decrypted a ZeuS configuration file and found the Trusteer-related injected pages.
Also, note that another Android Zitmo sample was discovered and fakes a Kaspersky anti-virus. We detect that sample as Android/Zitmo.D!tr.spy.
– the Crypto Girl
Kyle Yang and Alexandre Aumoine contributed to this research.
Leave a reply
