Zeus Trojan Mobile Variant Intercepts SMS Passcodes from Bank Sites

The famous Zeus banking Trojan has a new variant, Mitmo, targeting infected users's cellphones to intercept SMS messages from banking insitutitions to gain login credentials.

Malware authors are already a step ahead with new tricks as more banks and organizations move towards two-factor authentication to secure their Web sites.

A mobile variant of the Zeus banking Trojan is targeting ING customers in Poland by intercepting one-time passcodes sent to customer phones via SMS, according to F-Secure on Feb. 21. It appears to be the same style of attack as the one discovered by S21sec in September, F-Secure said.

The actual analysis of the variant, Zeus in the Mobile (ZitMo), was performed by security consultant Piotr Konieczny (Google Translate) on his personal site. Konieczny said customers of Polish bank MBank were also targeted.

Mitmo is fairly clunky in its execution, as it requires the user to first download an application to their phone, but attackers are tricking users into thinking it's a critical software update to keep the ability to receive more SMS alerts, Konieczny said. It can affect Symbian and Blackberry devices, said Konieczny, and it was likely to also target Windows Mobile devices, according to Denis Maslennikov, a malware researcher at Kaspersky Lab. Konieczny did not name Android or iPhones. Apple's iPhone and other iOS devices may be safe because rogue apps can't install unless the device has been jailbroken.

Considered by security experts to be one of the most sophisticated Trojans, Zeus originally targeted financial institutions by using keyloggers to steal users' login credentials as they were entered on banking sites. Many banks switched to two-factor authentication to thwart the Trojan, since the one-time passcodes that authorize transactions expire as soon as they are used. Mitmo intercepts the one-time passcodes before they can be used.

The most common two-factor authentication method involves sending out mTANs, mobile transaction authentication numbers, via SMS message as a one-time passcode for customers to enter on the Web site. Two-factor authentication combines something the user knows, the password, with something the user has, the phone that receives the SMS message, to tighten security. Google recently rolled out similar two-factor authentication for Gmail based on one-time passwords.

The two-pronged attack begins when Mitmo infects a user's computer, whether from a spam link, drive-by-download, or some other method, according to Konieczny. When the user then browses to a bank Web site, such as ING, users are shown a "security notification" to update their phone so that it can receive the SMS codes, Konieczny said.

The update process asks for mobile phone number and type of mobile device, he said. The Trojan injects HTML fields into the Web site, so there are no changes to the URL nor any changes to the header and footer of the page to hint that the security panel may not be legitimate, he said. Users don't realize the notification is not real and think they are enhancing their security by providing the information.

Once the attackers have the information, they send a SMS to the user with a link to some other Web site which downloads an app to the device. The app is claimed to be part of the security update so that users would be able to receive the passcodes. Once installed, the mobile app intercepts all SMS sent to the phone and forwards to another phone number, giving the attacker access to the user's bank information and any other site that sends information to the mobile device.

Mitmo dials back to the same command and control server based out of Great Britain, according to Maslennikov.

ING Poland said in an e-mail statement that none of the customer's accounts have been compromised by Mitmo at this time.