14 DAY TRIAL // Security researchers from S21sec report that a new component for the ZeuS crimeware toolkit allows attackers to steal SMS messages from Symbian and BlackBerry phones.
ZeuS, also known as ZBot, is an information stealing trojan used by many cyberfraudsters to capture online banking credentials and other sensitive data.
It is sold on the underground market as a toolkit, which allows generating customized versions of the trojan and the command and control (C&C) application.
But, as two-factor authentication systems based on one-time-use passwords sent via SMS become more widespread, it's increasingly difficult for attackers to misuse the stolen logins.
The new ZeuS component tries to counter that. It comes as a malicious mobile application, which is sent to the victim's phone as a download link.
The attack begins with a rogue form displayed during an online banking session, asking the users for their mobile phone model and number.
It also informs them that a link to install a new mobile security application used by the bank's system will be sent to their phone.
The SMS message with the URL tries to pass the app as a digital certificate called cert.sis (Symbian) or cert.jad (BlackBerry).
Once installed, the mobile component sends a "hello" message to a predefined number, in order to let the command and control server know about the successful deployment.
From that point on, the application monitors and uploads all SMS messages to the server and allows attackers to send various commands back to the phone.
These include deleting, adding or editing a contact, as well as changing the C&C phone number. The last command can be sent from any phone number.
"Although we cannot state that it is a really advanced malicious application, it really works, and the thin line between PC and mobile malware is thinner than ever," the S21sec researchers conclude.