14 DAY TRIAL // Security researchers have identified a Zbot component designed for Android which steals mobile transaction authentication numbers send by banks via SMS.
ZeuS, aka Zbot, is one of the most popular banking trojans. Even though the original author of the malware has retired, the source code is available online for anyone to modify and fit it to their needs.
Zbot originally targeted desktop systems and stole financial information and online banking credentials which fraudsters exploited.
However, in recent years, more and more banks have introduced additional layers of security, such as two-factor authentication systems which in addition to passwords also require one-time-use codes generated with special devices.
But it's not only accounts that have been protected with this method. Some banks require each transaction request to be confirmed by inputting an unique code sent to the account owner's mobile phone.
These codes are known as mobile transaction authentication numbers (mTAN) and make it a lot harder to steal money from compromised accounts, even if attackers have full control over the victim's computer.
In order to continue stealing money ZeuS fraudsters had to find a way to capture these mTANs, and with the help of a man-in-the-mobile (mitmo) component and a little social engineering they managed to do that.
Last year security researchers began discovering ZeuS-related mobile malware created specifically to steal mTANs from phones running Symbian, Windows Mobile and BlackBerry.
However, a sample targeting Android devices has only showed up on the radar during the past couple of weeks. "Actually, it is not a new sample and has been detected under several names (Android.Trojan.SmsSpy.B, Trojan-Spy.AndroidOS.Smser.a, Andr/SMSRep-B), but it is far more scary when propagated by the ZeuS gang," says Fortinet security researcher Axelle Apvrille.
According to the security expert, the malware poses as a banking activation application, but after it's installed it intercepts all SMS messages and uploads them to a remote server. Users are advised to always check any request to install such software on their computers or mobile phones with their bank.