Smartphones

Crimeware subverts mobile OSs: Is Android next?

Believe two-factor authentication using SMS texts is secure? Think again. Michael Kassner reports that Zeus malware now has a smartphone partner called Zitmo.

When it comes to crimeware, Zeus has no equal. People behind the malcode have stolen millions from unsuspecting organizations. I first wrote about Zeus back in October of 2009. Three years hence, Zeus is still going strong.

The latest volley between security firms, and the developers responsible for Zeus involves SMS-based two-factor authentication. The theory goes: Using Simple Message Service (SMS) as an out-of-band verification prevents Zeus from capturing log-in credentials. SecureID technology is also out-of-band, but most institutions are shying away from it right now.

Difficult but not impossible

Well, Zeus now has a partner. Meet Zitmo (Zeus In The MObile). Phone malware designed to capture SMS texts and forward them to the attacker. Here's how, according to S21sec:

  • When you visit a financial portal, Zeus (already installed on the computer) steals your username and password.
  • The attacker then attempts to infect your mobile device by installing a malicious application (possibly a SMS with a link to the malicious mobile application).
  • The attacker logs in with the stolen credentials using your computer as a socks/proxy and performs a specific operation that needs SMS authentication.
  • An SMS is sent to your mobile device with the authentication code. The malicious software running in the device forwards the SMS to the attacker's computer.
  • The attacker fills in the authentication code and completes the operation.

One has to admit, the sophistication is impressive. Zeus (PC) and Zitmo (smartphone) working in concert, allow the attacker to successfully log in and siphon finances from your account.

But not Android

Security researchers at Fortinet, S21sec, and McAfee are following the Zeus/Zitmo saga closely. They have examples of Zitmo code for Symbian, Blackberry, and Windows mobile operating systems--three out of the big four (Edit: Should be five, but iOS is not affected). What about Android?

Missing an opportunity

According to this Nielsen report, Android is favored by a third of all smartphone users. Seems to me, the bad guys are missing or avoiding the largest segment of mobile-device users. Puzzling.

Maybe not

While trolling for research material, I came across a Fortinet blog post by Axelle Apvrille. She reported that Zitmo may now be ported for Android:

"Lately, there's been an active discussion on technical forums regarding Zeus targeting Android users. We finally managed to get our hands on the mobile sample the Zeus PC trojans are propagating.

Actually, it is not a new sample and has been detected under several names (Android.Trojan.SmsSpy.B, Trojan-Spy.AndroidOS.Smser.a, Andr/SMSRep-B), but it is far more scary when propagated by the Zeus gang."

Found a puzzle piece.

Then I came across this: Dissecting Zeus for Android (or Is It Just SMS Spyware?). Carlos Castillo, researcher for McAfee, questions if what they found is indeed Zitmo for Android. Oh-Oh. Now full-blown confusion.

Back to basics

Long ago, I learned something about confusion. It is unwise to write while in a confused state. Saving that story for my memoirs.

Anyway, I dashed off an email to Mr. Castillo, hoping that he would clear up my confusion. I started with the basics.

Kassner: Would you explain what role smart phones play when Zitmo malware is installed? Castillo: Smartphones are the component needed to defeat second-factor authentication (sent in a SMS) in an electronic transaction.

When the Zeus malware is installed on a PC, it will show a window suggesting the user download the Android application which is in fact the malware that will intercept all incoming SMS and forward those messages to a remote server.

Kassner: I assume attackers are monitoring many infected PC and smartphones. How do they correctly associate SMS texts with log in credentials? Castillo: Once the malware collects the information related to the SMSs being received in the device, it will also collect the IMEI (International Mobile Equipment Identity) of the smartphone and it will send it to a remote server.

On the other side, in the Windows computer, the Zeus version for this platform will ask for the number given by the Android application (a fake security tool) which is in fact the IMEI of the device and with that data the computer crooks are able to link the stolen credentials in both platforms.

Kassner: Your paper mentions that Zitmo malware uses a special app as the delivery vehicle. Is there something people can watch out for to prevent the download? Castillo: The delivery component of Zitmo is not using the most common distribution mechanism--repack legit applications with malicious code--used by malware like Droid Dream or Geinimi. In fact, this is a purely malicious application with no clean code inside, making it easier to detect.

Also, the Windows version of Zeus will ask you to enter a URL address to download the application and the application will want permission to access to your SMS. Both should raise your level of suspicion.

Kassner: Is there something specific that people can check to make sure the Zeus malware is not already on their smartphone? Castillo: The two principal variations of this malware are fake versions of security tools belonging to Trusteer and Kaspersky. The slide below shows the difference between the Zitmo and real icons.

If you have an installed application that acts as a security tool and shows you the IMEI--the device is most likely infected. The other sign of infection will be missing SMS. Those are blocked by the Zitmo malware.

Kassner: That gives us a good idea as to what Zitmo does. You feel that the captured malware is probably only SMS spyware. With your permission I would like to paraphrase your reasons:
  • In general, this malware is not sophisticated compared with other Android malicious code seen in the wild like ADRD. All traffic with command and control servers is in clear text, unlike all other Zeus malware.
  • There is no evidence that intercepted messages are being filtered to target a specific bank or to search for a specific authentication code inside the message.
  • Unlike Zitmo, this malware does not implement control commands such as SET ADMIN to change the device that is controlling the bots, and it does not have a mechanism to change the URL that is collecting the SMS (in case it is needed).

Final thoughts

I'm glad there are dedicated people like Axelle Apvrille and Carlos Castillo. They invest a lot of time tracking malware, especially financial crimeware. Things would be a lot worse without their diligence.

Second, I hope I achieved my purpose today: Alerting you to the fact that two-factor authentication is not a security blanket, not any more.

And, Android users, we are next. There is no way the bad guys are going to let 30 percent of us go scot-free.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

16 comments
DNSB
DNSB

Interesting that you refer to Symbian, Blackberry, and Windows mobile as being three of the big four mobile OS with Android as the fourth. I have vague memories of a fifth mobile OS that should have been in that list based on market share if nothing else.

Spitfire_Sysop
Spitfire_Sysop

A long string of things would have to go wrong and unnoticed for this to pan out. Not the least of which is what financial institution you use. The stars would have to align for this to be successful. I think it would be far more easy to simply attack bank accounts from the phone. I know people who do on-line banking from their smartphones. There are dedicated banking apps. I know a guy who transfers money daily from an iPhone app. Seems idiotic to me and I told him so. If they can intercept data from a banking app or simply get an infected version of a banking app out there then you have good odds that the person using the app banks with a known bank. The odds are also good that if they can perform a transfer that you could be the recipient of said transfer.

seanferd
seanferd

This is where plain-old cell phones may have an advantage. If you can't install anything normally, it will be a bit harder for an attacker to get malcode onto the device. Are there still any plain-old cellular phones, or have those gone extinct?

Michael Kassner
Michael Kassner

First SecureID and now SMS. Zitmo, partnering with Zeus is able to capture and send SMS-authentication texts to attackers.

Michael Kassner
Michael Kassner

I should have been more clear about referring to mobile OSs being subverted. At the time of releasing this post, iOS was not.

Michael Kassner
Michael Kassner

It is predicated on Zeus being installed on the computer. And, if you check, you will find the number of infected computers is rather large. As for attacking just from the phone, that may be entirely true. Finally, what do the bad guys have to lose? This process is mostly automated. They get a bite, they win.

Michael Kassner
Michael Kassner

I suspect. Telcos seem to subscribe to the razor/razor blade marketing theory, which requires phasing out devices that provide only nominal income.

santeewelding
santeewelding

I protect and prolong its life by almost never turning it on. Only when God wishes to reach out and touch to make someone jump.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

I am assuming that the malware is not distributed from the android market, so if a person does not allow apps from other locations would they be susceptible to this malware? There is a lot of social engineering required for this to work so I tend to agree that while plausible it is not going to have a high success rate in my opinion.

seanferd
seanferd

And it's a dead give-away when the important papers for your celco tell you are eligible to upgrade x number of phones next year, before they might even know what the new phones will be.

seanferd
seanferd

But I doubt they even work, and certainly have no service. Time for recycling, I think, unless there is something more interesting or entertaining one might do with the parts.

Michael Kassner
Michael Kassner

That it still works. Batteries tend to wither from inattention.

Michael Kassner
Michael Kassner

As I tend to get tunnel vision. Thus, needing people like yourself to straighten me out. Thanks.

JCitizen
JCitizen

Since Rapport can block anything that tries to modify or inject into the browser, other than the user, it would be easier to use social engineering. I should think it would be easy for malware to read the drive and discover any possible phone numbers for the target, and use that as well. I have a program that can read the drive and quickly(about 1 minute or less) show any phone number or credit card that has been entered through the keyboard or filed in a documents folder. Fortunately it is one of the good guys(I hope always so) and is used to find the errant information and either delete or encrypt said information. I'm not sure Rapport blocks sensing that an SSL session in in progress, so if it doesn't, the bug could simply guess at it, and run an automated SMS message to a target phone number, in an attempt to fool the target person into thinking it was a legit out of band authentication. That is a riskier scenario for the criminal, than compared to the Zeus variant you write about however. I wonder if the developer of PassWindow ever got his Zeus problems ironed out? I should think he could make it work with Trusteer, and take advantage of the browser bubble; but then it wasn't supposed to use a browser at all, was it? (edited) The developer of Passwindow tells me he has a pluggin for the browser that works similar to Rapport, I'm just going by his word that it can't be manipulated. I forgot to ask if it resides at the kernel space like Rapport does. I also have no idea if any of this is valid for mobile devices.

Michael Kassner
Michael Kassner

And why I am presenting this information. You may be surprised how many people download apps from other sources. Rapport is a popular security system used by banks. I'd suspect the app would fool a significant number of people using a simple email.