Teamwork: How the ZitMo Trojan Bypasses Online Banking Security

AppId is over the quota
AppId is over the quota

Mobile transaction authorization numbers (mTAN) used to be one of the most reliable online banking protection mechanisms. However, with the emergence of a ZeuS Trojan for smartphones – ZeuS-in-the-Mobile, or ZitMo – mTANs can no longer guarantee that valuable user data will not fall into the hands of cybercriminals.

First detected in late September 2010, ZitMo is designed to steal mTAN codes sent by banks in text messages and remains one of the most interesting examples of malware for mobile phones. “First of all, it is cross-platform in nature: we detected versions for Symbian, Windows Mobile, BlackBerry and Android,” explains Denis Maslennikov, Senior Malware Analyst at Kaspersky Lab. “It is a Trojan with a very narrow specialization: its main aim is to forward incoming text messages with mTAN codes to malicious users (or a server, in cases involving ZitMo for Android) so that the latter can execute financial transactions using hacked bank accounts. But perhaps its most distinctive feature is its ‘partnership’ with the classic PC-based ZeuS Trojan. Without the latter, ZitMo is merely spyware capable of forwarding text messages. The ‘teamwork’ between the two components enables cybercriminals to successfully bypass mTAN security measures used in online banking.”

The attacks are generally orchestrated as follows:

• Cyber criminals use the PC-based ZeuS to steal the data needed to access online banking accounts and client mobile phone numbers.
• The victim’s mobile phone (see point 1) receives a text message with a request to install an updated security certificate, or some other necessary software. However, the link in the text message will actually lead to the mobile version of ZeuS.
• If the victim installs the software and infects his phone, then the malicious user can then use the stolen personal data and attempt to make cash transactions from the user’s account, but will need an mTAN code to authenticate the transaction.
• The bank sends out a text message with the mTAN code to the client’s mobile phone.
• ZitMo forwards the text message with the mTAN code to the malicious user’s phone.
• The malicious user is then able to use the mTAN code to authenticate the transaction.

Attacks involving ZitMo or malicious programs with similar functionality that are designed to steal mTAN codes or other confidential information will no doubt continue in the future. Therefore users of smartphones should remember some important rules of mobile security: always review the permissions that an application requests at install time; do not root or otherwise 'Jailbreak' your phone; avoid side loading (installing from non-official sources) when you can. If you do install Android software from a source other than the Market, be sure that it is coming from a reputable source. Don’t click the URLs you receive in spam SMS. Run a reputable antivirus on your phone, and keep it up to date. Install any and all security patches as soon as they are available.

For more details on the ZitMo Trojan and how it functions on different mobile platforms, see Denis Maslennikov’s article ‘ZeuS-in-the-Mobile – Facts and Theories’ at: www.securelist.com.