Evolution of Zeus. Now in smartphones

Smartphones are also under attack

Mobile devices are booming. The growth in the use of smartphones, of course, could not but affect the development of malicious software (HP) for these devices. Compared to personal computers, user literacy levels regarding information security are even lower. This opens up a large field for criminal activity for intruders. The easiest way to divert money is malicious applications that send SMS messages to paid numbers. But the developers of Zeus and SpyEye do not sit with folded arms, and in 2010-2011, modifications that amaze with their sophistication come out from under their "pen".
Many people probably know that one of the most popular ways to protect financial transactions using the Internet is mTan (mobile transaction authentication number), a special sequence of numbers that is sent to your phone via SMS when performing any operation ( transactions), for example, when paying via WebMoney. The proliferation of smartphones here plays into the hands of attackers who have developed a mechanism to bypass mTan technology through malicious applications for widely used mobile platforms.
Both Zeus and SpyEye have the functionality of replacing the present HTML page of any electronic payment system to send user credentials (logins and passwords) to the command center. To get mTan, additional fields are introduced into the forms, one of which is the phone number. In the end, the smartphone is installed VPO to intercept SMS. This technology is called Man-in-the-Mobile (by analogy with Man-in-the-Middle when intercepting data in the network, passing between two computers). Details of interception for different malware are described below.

ZeuS-in-the-Mobile

ZeuS-in-the-Mobile (ZitMo), which appeared at the end of September 2010, was the first malware aimed at stealing mTan. On the modified authorization page in the online banking system, in addition to the user’s login and password, they also asked us to indicate the model of the mobile device they were using and enter their number — supposedly to update the certificates. Users who provided such information after a while received an SMS link to the specified numbers with an SMS to a new “security certificate” asking them to install it. In fact, the “certificate” was a ZitMo app. ZitMo versions exist for several platforms: Symbian, Windows Mobile, Blackberry and Android. The main functionality for the first three platforms is to send SMS messages to the phone numbers of attackers listed in the ZitMo code. Interestingly, the numbers of these mobile phones are registered in England. For the Android version, the data is sent to the attacker's server via HTTP.

SpyEye-in-the-Mobile

In April 2011, experts at Kaspersky Lab discovered another attack of the form Man-in-the-Mobile with the participation of the SpyEye modification. The malicious application for the Symbian platform is called SpyEye-in-the-Mobile (SpitMo). Two additional fields are introduced in the password and login form for entering a phone number and IMEI, ostensibly for updating certificates for a smartphone. IMEI was used by cybercriminals to form a malware signature. The link to the next “security certificate” came a few days later in an SMS to the phone number indicated in the fake entry form. The malware is signed with a certificate for easy installation and removal of suspicion. Apparently, the order of the certificate for the signature was made through the website of the association of Chinese dealers OPDA, it took 2-3 days to receive it. On a smartphone, the malware intercepts incoming SMS messages, selects those that contain mTan from them, and sends them via HTTP protocol to the attacker's server without demonstrating to the user.
')

Carberp-in-the-Mobile

As of December 2012, Kaspersky Lab experts have recorded the appearance of another player on the Man-in-the-Mobile field - Carberp-in-the-Mobile (CitMo) for the Android platform. Carberp is another crimeware representative of Zeus and SpyEye. Compared to them, the orientation of criminals using Carberp to Russian users was revealed (Zeus and SpyEye are usually used abroad, mainly in the USA). In March 2012, with the assistance of ESET, one of the many cyber groups that used Carberp in their criminal activities was arrested . After that, the developers of Carberp "lay on the bottom." Currently, the development and sale of Carberp resumed, the details, prices and functionality here .
The fake online banking form introduced by Carberp invites the user to download and install a program that is supposedly necessary for entering the system. Moreover, the user can receive the link in the SMS-message by entering his phone number, or independently scan the QR-code and get the link. The CitMo operation algorithm is identical to SpitMo, SMS data is sent via HTTP.

Conclusion

I would like to note that an increasing number of smartphone users are at risk. The market is growing, the share of Android devices is growing - their popularity is increasing among criminals and developers of malware. Recently, intruders generally began to place QR codes in the most crowded places, such as airports, restaurants, replacing advertising notifications with them, hoping that potential victims would scan them and end up on a malicious resource. So the threat vectors are already migrating from the virtual to the real world.