The malware is disguised as legitimate applications on Google Play
ZeuS-in-the-Mobile (ZitMo) and SpyEye-in-the-Mobile (SpitMo) are not the only pieces of malware used by cybercriminals to gain access to the bank accounts of users. Recently, they’ve started relying on the mobile version of Carberp.While ZitMo and SpitMo have mainly been seen targeting the users of European countries, such as Spain Germany or Italy, Carberp-in-the-Mobile (CitMo) is mostly utilized against Russian bank customers.
In order to gain access to online banking accounts, the attackers need to get a hold not only of the victim’s username and password, but also of the mobile Transaction Authentication Number (mTAN) that’s used for two-factor authentication.
According to Kaspersky experts, this is where CitMo steps in. The latest variant alters online banking webpages on the fly and presents users with a page that asks them to install an application that’s allegedly needed to enter the system.
Victims can obtain this application by entering their phone number or by scanning a QR code.
Customers of Russia’s Sberbank are provided with a link to a fake SberSafe app hosted on Google Play until recently.
Once installed, this app allows the crooks to gain access to the SMS messages containing the mTANs sent by the bank.
When they’re executed, they prompt victims to enter their mobile phone numbers. Then, users receive a confirmation code which they must enter into the application.
This process allows the cybercriminals to identify the phone when it sends data to the server, to set which received SMS messages should be hidden and which ones should be visible.
This way, the crooks can perform as many fraudulent transactions as they want without getting noticed.
Basically, CitMo works the same way as ZitMo. It hides certain received messages and forwards them to the attacker.
Similar apps, designed for AlfaBank (AlfaSafe) and Vkontakte (VkSafe) users, have also been spotted on Google Play.