Android’s Got Zitmos All Over the Place

Android devices have once again been hit by a new form of malware. This time the culprit is a mobile variant of the Zeus banking Trojan that steals banking passwords.

Zeus and another malware package, SpyEye, “are the most malicious threats to financial institutions and their customers,” Mickey Boodaei, CEO of Trusteer, told TechNewsWorld.

Over the past year, 72 percent of the 3.2 million desktops Trusteer’s Rapport service disinfected were found to host various versions of these two malware packages, Boodaei said.

The mobile Zeus Trojan, which has been dubbed “Zitmo,” gets around security measures proposed less than three weeks ago by the Federal Financial Institutions Examinations Council (FFIEC).

Mobile malware is going to become an even greater threat as mobile banking and e-payment technologies such as NFC catch on.

With Android devices predicted to take the No. 1 spot in the mobile market by August, the threat is worsened.

The Hows and Whats of Zitmo

Zitmo is another version of Mitmo, or mobile man-in-the-middle malware, Trusteer’s Boodaei said.

Man-in-the-middle attacks intercept communications between the sender and receiver, putting a proxy in the middle. This proxy can read and modify all communications between the two.

Zitmo is designed to bypass the SMS out-of-band (OOB) authentication and transaction verification processes recommended by the FFIEC recently.

Here’s how OOB works: When a consumer goes to a bank’s website online from a PC, the bank sends a text message to the consumer’s phone number. This message includes the details of the transaction and a verification code.

The consumer types the verification code into the PC’s browser. The assumption is that, if the transaction was generated by malware, the user won’t complete the process and the bank won’t approve the transaction.

The Mitmo attack gets around this by intercepting a consumer’s attempt to access a bank’s website from a PC infected with Mitmo malware.

The malware then asks the victim to download an authentication or security component onto his or her mobile device to complete the login process. Assuming the bank sent the request, the user complies, and now the user’s mobile device and PC are both controlled by cybercriminals.

The malware then generates a fraudulent transaction, posing as the consumer. When the bank sends a confirmation message to the victim’s mobile device, the malware on the device sends that message to the victim’s PC. The malware on the PC automatically enters the confirmation code and approves the transaction.

The malware on the victim’s mobile device deletes the bank’s confirmation message from the mobile device to eradicate any traces of what happened.

Zitmo first caught security researchers’ attention in September, when Fortinet warned that it was likely intercepting SMS messages banks sent to their customers.

Initially aimed at Symbian, BlackBerry and Windows phones, the malware has apparently now been ported to the Android platform.

Mobile Banking’s Still Possible

However, the ability of Mitmo attacks to get around the FFIEC’s OOB recommendations don’t necessarily rule out mobile banking. It just makes the process more difficult.

“The FFIC … ultimately mandates a layered security approach with very specific minimum expectations,” Tiffany Riley, vice president of marketing at Guardian Analytics, told TechNewsWorld.

Trojans like Zitmo “further the notion that financial institutions must assume that the endpoint has been compromised,” so the first thing FFIEC expects banks to do is deploy a layered security program that uses behavior-based anomaly detection and transaction monitoring, Riley said.

“Anomaly detection is proven to fight fraud … and, because it’s behind the scenes, it cannot be compromised in the way that the endpoint can,” Riley explained.

No Acne Cream for Zitmo

Boodaei predicts that more than one in 20 Android and iOS devices could become infected by mobile malware in the next 12 to 24 months. He also said the security architectures of both Android and Apple’s iOS operating system are inadequate.

“It’s very easy to generate and publish malicious applications on the Android marketplace,” Boodaei explained. “There are no controls.”

Further, the variety of Android app markets means Android device users can download applications from anywhere. That lack of a central market makes it difficult to impose quality control on Android apps, Boodaei pointed out.

Existing mobile antimalware packages aren’t much good against mobile malware because they can’t scale, Boodaei said.

“When we start seeing tens of thousands of these malicious apps, it will take antimalware solutions too long to classify and remove malicious apps,” Boodaei explained. “It’s the same problem antimalware packages have today on the PC.”

New solutions that can detect malware based on its behavior without generating false positives are needed for both the PC and mobile platforms, Boodaei recommended.

Google did not respond to requests for comment by press time.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

CRM Buyer Channels