Researchers have discovered a variant of the Zeus bot malware that specifically targets users who perform online banking operations from the mobile phones, playing on the increasingly common use of SMS-based, one-time passwords in order to fool users into loading the malware.
The attack begins with a typical desktop-based Zeus infection, which often is accomplished through a drive-by download from an infected legitimate site. The malware steals the victim’s online banking user name and password, and then forces the user to click on a link delivered via an SMS message. This link purports to be installing a new digital certificate for the online banking application, according to research done by S21Sec, a security services company in Spain.
The attacker then logs into the online banking site, using the mobile device as a proxy, and performs an action, such as a transfer, that will send an SMS to the victim’s phone with a one-time password for the transaction. The malware intercepts the SMS and forwards it to an attacker-controlled device, on which the attacker then finishes the transaction.
The current version targets BlackBerry and Symbian devices, as they can download and install any application. The malicious application is called “Nokia update,” giving it a good chance of being installed by unsuspecting users.
“The application that the user installs in his mobile device is a simple application that will monitor all the incoming SMS and will install a backdoor to receive commands via SMS. We have analyzed the Symbian S60 application, which has the name ‘Nokia update’,” the company said in analysis of the attack. “The technique that the malicious application uses for monitoring the incoming SMS without notifying the user is not something advanced (it is using the Symbian API), but allows the trojan to use the SMS stack for its own profit without showing any SMS in the mobile screen.”
“It is difficult to get the complete picture of this emerging threat vector as the C&C used by the Zbot. PUA is no longer online, but based on the analysis and their configuration files, this attack is not a one-off by some hobbyist. It’s been developed by individuals with an excellent understanding of mobile applications and social engineering.”
We expect that they’ll continue. [by dennis fisher-threat post 9/27/10]