Criminals have developed a component of the ZeuS Trojan designed to run on Google Android phones. The new strain of malware comes as security experts are warning about the threat from mobile malware that may use tainted ads and drive-by downloads.

Image courtesy Fortinet.

Researchers at Fortinet said the malicious file is a new version of “Zitmo,” a family of mobile malware first spotted last year that stands for “ZeuS in the mobile.” The Zitmo variant, disguised as a security application, is designed to intercept the one-time passcodes that banks send to mobile users as an added security feature. It masquerades as a component of Rapport, a banking activation application from Trusteer. Once installed, the malware lies in wait for incoming text messages, and forwards them to a remote Web server.

Trusteer published a lengthy blog post today that mentions an attack by this threat “that was used in conjunction with Zeus 2.1.0.10. The user was first infected with Zeus on their PC and then Zeus showed the message requesting the user to download the Android malware component.” In a phone interview, Trusteer CEO Mickey Boodaei said crooks used the Trojan in live attacks against several online banking users during the first week of June, but that the infrastructure that supported the attacks was taken offline about a month ago.

Boodaei offers a bold and grim forecast for the development of mobile malware, predicting that within 12 to 24 months more than 1 in 20 (5.6%) of Android phones and iPads/iPhones could become infected by mobile malware if fraudsters start integrating zero-day mobile vulnerabilities into leading exploit kits.

The last bit about exploit kits is key, because almost all mobile malware developed so far uses some type of social engineering to install itself on a device. Boodaei predicts a future time when crooks begin incorporating mobile phone vulnerabilities into automated exploit kits like BlackHole and Eleonore, which use security flaws to install malicious software when the user visits a booby-trapped site with a vulnerable device.

Trusteer’s prediction is timely: jailbreakme.com, which allows users to jailbreak their iPads or iPhones by browsing to the site, leverages an unpatched, critical vulnerability in Apple iPhones and iPads. Experts are warning that such exploits could also be used to download and install malware. Meanwhile, the folks that devised the exploit used by jailbreakme.com have issued a program that lets jailbreakers patch the flaw — meaning that until Apple issues an official fix for the bug, people who have jailbroken their iPhones or iPads are potentially more secure than regular users.

Kevin Mahaffey, co-founder and CTO of Lookout Mobile Security, called the Zitmo variant a notable development, but said it is somewhat unsophisticated. Mahaffey said that a more disturbing class of malware is emerging for Android that convinces users to install the application by disguising itself as an in-app advertisement . Dubbed “GGTracker,” this Android Trojan is automatically downloaded to a user’s phone after he or she visits a malicious Web page that imitates the Android Market. According to Lookout, the Trojan is able to sign up victims for a number of premium SMS subscription services without the user’s consent.

GGTracker is a reminder that mobile users need to be just as vigilant about mobile phone threats as they are with a personal computer. That doesn’t mean mobile users need to install antivirus software; common sense and some basic street smarts will suffice. For example, Trojans like GGTracker can be avoided by paying attention to the URL in a browser’s address bar — something users should already be trained to do to avoid phishing scams. The first two rules from Krebs’s Three Basic Rules for Online Safety also apply to the mobile world: If you didn’t go looking for it (in this case Zitmo), don’t install it; if you installed it, update it (let’s hope that Apple will quickly issue a patch for its vulnerability).

A periodic pointer to some of the more interesting and newsworthy security news stories. In no particular order:

Proof-of-concept for Mac OS X systems Released
Possible Malicious Apps for Google’s Android Phone
Online Gaming Exec. Sentenced to 33 Months
‘Massive Cybercrime Conspiracy’

Read after the jump for summaries and links to more information.

–Dan Goodin from The Register writes that researchers have disclosed a critical vulnerability in the latest version of Mac OS X that they claim Apple has sat on for almost seven months without fixing. The Reg says the flaw “could be exploited by attackers to remotely execute malicious code, and virtually all Apple devices – including Mac computers and servers, iPhones, and even Apple TV – are susceptible.” Once again, full disclosure in the face of apparent vendor lethargy.

I exchanged e-mails about this threat last night with Dino Dai Zovi, probably one of the foremost experts on Mac security. Dai Zovi said while the flaw may be exploitable through a number of third-party applications that run on top of Mac OS X (Firefox, for example), it isn’t likely we’ll see this bug being exploited in the wild. “This vulnerability is more complex than much simpler vulnerabilities in Mac OS X that did not result in widespread exploitation,” Dai Zovi wrote in an email to KoS. ” There have yet to be any reports of Mac-based malware exploiting a browser vulnerability in order to install itself in the wild.  For that reason, I wouldn’t suggest that Mac users need to take action to protect themselves against this issue at this time.”

MITRE’s writeup on this vulnerability has a nice list of applications that may be a potential way to exploit this flaw.

–The blogs are abuzz with word of fraudulent apps being posted to the Android Market. The apps, reportedly created by an anonymous developer named “09Droid”, appear to be an attempt to snag online banking credentials from Android users. The F-Secure blog has a bit more on the nasty apps.

–The chief executive of an overseas, online gambling operation was sentenced by a U.S. judge to 33 months in prison after pleading guilty to racketeering, writes Wired.com’s Threat Level. The sentence, against David Carruthers, 52, a former executive at BetonSports, comes as U.S. lawmakers consider allowing Internet gambling, even as federal regulators step up enforcement of existing anti-online gaming laws.

–In other cyber justice news, a federal grand jury in Dallas last Friday indicted 19 people in what the government is calling a “massive cybercrime conspiracy” – a Web hosting scam that defrauded both customers and contractors, according to Dark Reading’s Tim Wilson. The accused alleged created a mess of shell companies purporting to be legitimate Web hosting and services providers, and used said companies to collect customer fees, obtain loans, and purchase good services. “In the end, many of the customers were left without Web servers, the loans were not repaid, and many contractors — including collocation service providers such as AT&T and Verizon — were never paid, the indictment says.”