"The malware poses as a banking activation application," said Axelle Apvrille, a senior antivirus analyst and researcher for Fortinet, in a blog post. "In the background, it listens to all incoming SMS messages and forwards them to a remote web server."
That's a security risk, as some banks now send mTANs--mobile transaction authentication numbers, which is banking-speak for one-time passwords for authenticating transactions--via SMS. By intercepting these passwords, the Zeus-botnet-using criminal gang behind Zitmo can not only create fraudulent money transfers, but verify them.
While Zitmo isn't new, this Android variant is. "Zitmo has been used by the ZeuS gang to defeat SMS-based banking two-factor authentication on Symbian, BlackBerry and Windows Mobile for a several months," said Aprvrille.
The attack is ingenuous because the malicious smartphone application often gets pushed by malware after it's infected a PC, but not until the user visits a banking website. At that point, "the malware kicks in and asks the user to download an authentication or security component onto their mobile device in order to complete the login process," said Trusteer CEO Mickey Boodaei in a blog post. "The user wrongly assumes this message comes from the bank while in reality it comes from the malware. Once the user installs the malware on the mobile device the fraudsters control both the user's PC and the user's phone."
To help block malware attacks against their customers, new guidelines from the Federal Financial Institutions Examinations Council (FFIEC) recommend that banks consider out-of-band authentication, such as mTANs. But as Zitmo illustrates, however banking regulators revise the guidelines, attackers often find techniques for defeating the new security measures.
Boodaei said that the current threat from smartphone-seeking malware is relatively small, especially because many banks don't use mTANs, and because few people bank using smartphones. But if mobile banking does take off, beware, since the Android security architecture won't be able to stop those types of attacks, given the ease with which users can be tricked, via social engineering attacks, into installing third-party applications.
But he said another worry is that--as with Windows PCs today--attackers will find zero-day vulnerabilities in mobile devices that let them install malicious applications on the fly. That would most likely be accomplished by a prevalent fraudster technique, which is to compromise a website, then install an exploit kit, which uses known or zero-day vulnerabilities to infect all computers that visit the website, with malware.
Android wouldn't be the only operating system at risk from such automated exploits. Notably, the zero-day PDF vulnerability currently affecting the iPhone, iPad, and other iOS devices could be used to not only jailbreak a device, but also install malicious applications.
In the new, all-digital Dark Reading supplement: What industry can teach government about IT innovation and efficiency. Also in this issue: Federal agencies have to shift from annual IT security assessments to continuous monitoring of their risks. Download it now. (Free registration required.)