Trend Micro researchers have confirmed Zitmo, a mobile variant of Zeus, now targets BlackBerry devices. The Zeus-in-the-Mobile Trojan intercepts SMS messages and blocks phone calls.
With so many reports of Android
and iPhone malware, it was
only a matter of time before a BlackBerry variant emerged.
A variant of the Zeus banking Trojan targeting BlackBerry
smartphones was detected by security researchers at Trend Micro. With more
users using their phones to get up-to-date alerts on their bank account
balances, to add funds, or to receive password hints, mobile malware has become
a lucrative attack vector for cyber-criminals, wrote threat analyst Patrick
Estavillo on TrendLabs
on March 4.
The BlackBerry Zitmo flies under the user's radar because it
does not have a graphical user interface, and it can remove itself from the
list of applications attackers, Estavillo said. Mobile banking users unaware of
the infection on their phone would be inadvertently giving away their bank
Once the mobile Zeus has been installed on the smartphone,
it sends a confirmation message to the remote administrator at the
command-and-control server that it is ready to receive commands. The
confirmation message reads "App Installed OK," and is sent to a phone number in
the United Kingdom, Estavillo said.
Considered by security experts to be one of the most
sophisticated Trojans, Zeus
originally installed keyloggers on user desktops to
steal login credentials as they were entered on banking sites. Many banks
switched to two-factor authentication to thwart the Trojan, since the one-time
passcodes, sent by SMS message to the user's phones, expire as soon as they are
used. The Zitmo variant intercepts the passcodes by forwarding all SMS messages
to the remote attacker.
Zitmo forwards all messages on to the remote administrator
and can also delete and drop incoming SMS messages so that the user never sees
the messages sent from the hacker, Estavillo said. It can power the phone on or
off and display messages that look like real SMS messages. The Trojan can also
block specific phone numbers or incoming calls in general and remove the
blocked call from history so that the user again remains unaware of any calls
blocked. It can also create and remove administrator accounts on the phone.
The administrator can remotely change the phone number to
which BlackBerry Zitmo forwards all incoming SMS messages. If the original
number is unavailable or taken down by authorities, the remote attacker can
send a command to all infected phones that changes the administrator phone
number, ensuring that the attackers continue receiving all forwarded messages.
Trend Micro researchers have identified variants targeting
Nokia's Symbian OS and Windows Mobile. The Trojan is silently installed when
users go to a malicious Web site from their mobile browsers, or when
downloading applications that have the Trojan packaged inside. Once installed,
uses see a prompt to install a critical software update that was necessary to
keep being able to receive mobile banking alerts on their phone. A Zitmo
variant targeted ING
customers in Poland
late last month.
Researchers have long warned that mobile malware would
become more sophisticated as smartphones became more popular and powerful. With
the latest round of malicious applications found on Android Market
and a number
of iPhone malware prototypes, all mobile users need to exercise more caution
clicking on links to unfamiliar Websites or downloading applications on to the
phone, Estavillo said.