Tuesday, September 13, 2011

SPITMO: First SpyEye Attack on Android Mobile Platform Now in the Wild

Via Net-Security.org -

The first SpyEye variant, called SPITMO, has been spotted attacking Android devices in the wild. According to Amit Klein, Trusteer’s chief technology officer, the threat posed by DriodOS/Spitmo has escalated the danger of SpyEye now that this malicious software has been able to shift its delivery and infection methods.

“We always said it was just a matter of time before the true potential of Spitmo was realized," says Klein. "When it first emerged [for the Symbian OS] back in April, F-Secure reported in its blog that it was targeting European banks. The trojan injected fields into a bank's webpage asking the customer to input his mobile phone number and the IMEI of the phone. The fraudster then needed to follow a cumbersome three stage sequence - get the IMEI number; generate a certificate; then release an updated installer. This process could take up to three days."

“We couldn’t believe fraudsters would go to that much effort just to steal a couple of SMSs - and it appears we were right," he says. "Information gathered by Trusteer's Intelligence Centre has discovered a new far more intuitive, and modern, approach of SPITMO for Android now active in the wild.”


Once the Trojan has successfully installed [on the Android device], all incoming SMS messages are intercepted and transferred to the attacker’s Command and Control server. A code snippet is run when an SMS is received, creating a string, which will later be appended as a query string to a GET HTTP request, to be sent to the attacker's drop zone.


What makes all of this so scary is that the application is not visible on the device’s dashboard, making it virtually undetectable, so users are not aware of its presence and will struggle to get rid of it."


Readers should keep in mind these Spitmo (SpyEye in the Mobile) and Zitmo (ZeuS in the Mobile) attacks are not purely mobile OS level attacks, they are really blended malware attacks.

Spimto & Zitmo: Attack Begins on the Desktop, But Increasingly Has Mobile Components

In the Spitmo case outlined by Trusteer above, the attack begins when the victim's PC is infected with this new variant of SpyEye. Once the victim visit their online banking website (on their PC), the malware injects a "new" security measure message on the website - which advises the user to download a Android application which is "mandatory in order to use its online banking service." The new measure pretends to be an Android application that protects the phone’s SMS messages from being intercepted and will protect the user against fraud.

The Zitmo attack outlined by Fortinet in September 2010 follows a similar pattern. The attack begins when the victim's PC is infected with this variant of ZeuS. It injects a message into the user's browser upon visiting the online banking website, asking for the user's phone number and phone model. Based on that info, it sends an SMS with a link to the appropriate version of the malicious package (a Symbian package for Symbian phones, a BlackBerry Jar for BlackBerry phones, etc).

Threat Mitigation Recommendations

With this deeper understanding of the Spimto/Zistmo attacks, it is clear desktop based protection is still critically important to mitigate these of blended desktop/mobile malware attacks. As always, multi-layered security system on the desktop is recommended to ensure a high-level of protection. However, it is likely, the mobile components of these blended attacks will grow more advanced (and perhaps more independent) as the mobile devices themselves grow more powerful and mobile banking becomes more common.

No comments:

Post a Comment