ZeuS, SpyEye Targeting Android OS

Jay Decenella, IT audit expert
September 16, 2011 /

ZeuS Trojan, one of the most destructive malware seen in the wild and whose source code has recently been made available in the underground market for free, is targeting the Android OS.

Android, one of the most popular operating systems for mobile devices, is feared to be next in line of target operating systems by the banking Trojan following reports of a growing threat landscape of Android malware according to Arun Sabapathy, a malware research scientist with McAfee Labs in Bangalore, India. Sabapathy observed a malicious Android package in their collection that uses a rooting exploit targeting Android devices running OS Versions 2.3 or earlier to gain root privileges on the compromised device.

The start of 2011 has been marked with reports about the “merger” of ZeuS and SpyEye Trojan horses, forming another bigger banking malware. Although it remains unclear whether the leaked source code of ZeuS has been included in the new version of SpyEye, it is clear that both families are quite active, especially targeting Android, said Carlos Castillo, Malware Researcher at McAfee Labs.

“Despite serving the same purpose as the Zeus version for Android (known as Zitmo, for Zeus in the mobile), SpyEye (dubbed Spitmo, for SpyEye in the mobile) has some interesting differences according to Castillo.

He noted that both work to defeat a second factor of authentication in an electronic transaction – in this case an mTAN (mobile transaction authentication number)– by forwarding all incoming SMS to a remote server after the username and password have been captured from the infected computer.

SpyEye fortunately established new interesting characteristics of the two banking Trojans.

First, SpyEye and Zeus are said to be using the same distribution method (a computer infected with SpyEye will suggest the user enter a URL in a mobile device to download the malicious Android app), but the user interaction is different. SpyEye does not look like a security tool, as ZeuS for Android does.

In addition, SpyEye does not run in the background as a service as it is not active until a predetermined number (325000) is dialed or an SMS is received.

“SpyEye might take this step to reduce the presence of the malware in the device,” Castillo noted.

“It will not have a user interface and will not appear in the Running tab of the Manage Applications window.”

Another difference observed by McAfee is that instead of seeing the IMEI on the screen, the user (of the infected computer) is instructed to call a specific number to get a fake “authentication code” that will always be the same.

Sending an SMS to the attacker can affect victims because the forwarded SMS can generate additional expenses. Also, given that the configuration lies outside the malicious code, the delivery method can be different among the variants of the malware.

SpyEye carries its URLs for receiving the stolen information in one settings file unlike ZeuS, making the URLs easily changeable among variants.

Furthermore, the stolen SMS are sent without encryption to the attacker’s URL, Castillo said.

“Unlike Zeus for Android (which uses a JSON object in a POST request to send the stolen information), SpyEye uses URLEncoder to ‘encode’ the data by converting some characters (except letters, numbers, and some special characters) into hexadecimal values preceded by ‘%.’”

This basically transmits the data in clear text.

Zeus and SpyEye are similarly trying to obtain the mTANs sent in an SMS to perform electronic transactions that require this second factor of authentication.

“But the new version of SpyEye for Android adds interesting functions to slow down the analysis process, provide flexibility, and affect the user in different ways,” Castillo said.

 

Share your opinion