Criminals have developed a component of the ZeuS Trojan designed to run on Google Android phones. The new strain of malware comes as security experts are warning about the threat from mobile malware that may use tainted ads and drive-by downloads.
Researchers at Fortinet said the malicious file is a new version of “Zitmo,” a family of mobile malware first spotted last year that stands for “ZeuS in the mobile.” The Zitmo variant, disguised as a security application, is designed to intercept the one-time passcodes that banks send to mobile users as an added security feature. It masquerades as a component of Rapport, a banking activation application from Trusteer. Once installed, the malware lies in wait for incoming text messages, and forwards them to a remote Web server.
Trusteer published a lengthy blog post today that mentions an attack by this threat “that was used in conjunction with Zeus 220.127.116.11. The user was first infected with Zeus on their PC and then Zeus showed the message requesting the user to download the Android malware component.” In a phone interview, Trusteer CEO Mickey Boodaei said crooks used the Trojan in live attacks against several online banking users during the first week of June, but that the infrastructure that supported the attacks was taken offline about a month ago.
Boodaei offers a bold and grim forecast for the development of mobile malware, predicting that within 12 to 24 months more than 1 in 20 (5.6%) of Android phones and iPads/iPhones could become infected by mobile malware if fraudsters start integrating zero-day mobile vulnerabilities into leading exploit kits.
The last bit about exploit kits is key, because almost all mobile malware developed so far uses some type of social engineering to install itself on a device. Boodaei predicts a future time when crooks begin incorporating mobile phone vulnerabilities into automated exploit kits like BlackHole and Eleonore, which use security flaws to install malicious software when the user visits a booby-trapped site with a vulnerable device.
Trusteer’s prediction is timely: jailbreakme.com, which allows users to jailbreak their iPads or iPhones by browsing to the site, leverages an unpatched, critical vulnerability in Apple iPhones and iPads. Experts are warning that such exploits could also be used to download and install malware. Meanwhile, the folks that devised the exploit used by jailbreakme.com have issued a program that lets jailbreakers patch the flaw — meaning that until Apple issues an official fix for the bug, people who have jailbroken their iPhones or iPads are potentially more secure than regular users.
Kevin Mahaffey, co-founder and CTO of Lookout Mobile Security, called the Zitmo variant a notable development, but said it is somewhat unsophisticated. Mahaffey said that a more disturbing class of malware is emerging for Android that convinces users to install the application by disguising itself as an in-app advertisement . Dubbed “GGTracker,” this Android Trojan is automatically downloaded to a user’s phone after he or she visits a malicious Web page that imitates the Android Market. According to Lookout, the Trojan is able to sign up victims for a number of premium SMS subscription services without the user’s consent.
GGTracker is a reminder that mobile users need to be just as vigilant about mobile phone threats as they are with a personal computer. That doesn’t mean mobile users need to install antivirus software; common sense and some basic street smarts will suffice. For example, Trojans like GGTracker can be avoided by paying attention to the URL in a browser’s address bar — something users should already be trained to do to avoid phishing scams. The first two rules from Krebs’s Three Basic Rules for Online Safety also apply to the mobile world: If you didn’t go looking for it (in this case Zitmo), don’t install it; if you installed it, update it (let’s hope that Apple will quickly issue a patch for its vulnerability).