Write Once, Mobile Malware Anywhere

The Zeus (Zbot) crimeware is sold to criminals as a complete toolkit for building custom Trojans, usually to steal banking logins.  The Trojans are generally quite complex; injecting HTML into banking websites on the Internet Explorer and Firefox web browsers, intercepting keystrokes, and grabbing screenshots.  Until a few months ago the Zeus infrastructure targeted only Windows PCs, but the adoption of certain security measures (mTANs sent via SMS) used by some banks caused the criminals to change their tactics.

SymbOS/Zitmo.A was a mobile spyware application used to intercept and forward the mTAN SMS messages sent from an infected user’s bank to an attacker.  This was implemented by the Zeus Trojan for gathering information from victims about their mobile phones so that it could send a targeted download link to them.  The attacker could then change what numbers were monitored by the spyware to go after specific banks.  This particular group of crooks was using SymbOS/Zitmo.A in a targeted attack against Spanish banks.  It was suspected that a Blackberry version of the spyware was also being distributed, but no samples have yet been found.

Duplicated functionality: SymbOs/Zitmo.B sends the same activation SMS message as SymbOS/Zitmo.A.

The bank (account) robbers have not stopped at their first mobile spyware attempt.  This time around the thieves went after bank accounts in Poland.  Their latest update adds MSIL/Zitmo.B (for Windows Mobile/.Net Compact Framework) and SymbOS/Zitmo.B.  Both Zitmo.B variants were very likely written by the same author.  They appear to re-implement the command set and functionality of SymbOS/Zitmo.A.   SymbOS/Zitmo.A itself was closely based on a commercial spyware application.

Symbos/Zitmo.B process running on a Symbian phone. The spyware does not show a GUI.
MSIL/Zitmo.B running on device. The spyware does not show a GUI.

There are a number of commercial mobile spyware programs, and malware creators have used them in the past (e.g., SymbOS/MultiDropper.CG, SymbOS/Zitmo.A). The problem malware authors run into with known spyware is that it will be detected by mobile security software.  Avoiding detection and maintaining ownership of the code may be the driving reasons why the authors of Zeus have contracted out their mobile development.

Mobile Malware Benefiting From Virtual Machines?

The people behind Zeus are now targeting at least two, if not three, of the major smartphone platforms.  Writing for one smartphone platform can be challenging, writing for multiple devices can be a bigger headache.  By writing a malicious app for the .Net Common Language Runtime(CLR) and Compact Framework, the Zeus authors might be trying to take advantage of coding for virtual machines (VMs).

There are a number of benefits of using VMs for the malware author:

  • maintaining compatibility
    • APIs on the VM will remain the same
  • code reuse
    • working parts of the malware (SMS sending, Bluetooth transfers, etc.) don’t need to be rewritten
  • affecting more devices/OS
    • malware can run on vastly different phones or devices

The authors of J2ME premium rate SMS sending Trojans certainly understood the advantages of targeting the Java Virtual Machine (JVM) on mobile phones.   At last count we’ve seen over 100 variants in 20+ different families of mobile Java Trojans.  For a time, J2ME was the second largest mobile malware category and we expected malware authors to continue to go after it.  Instead with the rise of Android phone activations malware writers have recently targeted Android’s Dalvik VM with premium rate SMS sending trojans like Android/Fakeplayer.A.

This move towards the Dalvik VM may soon increase as other non-Android devices gain the ability to run its applications.  Myriad Group, a member of the Open Handset Alliance (which develops Android along with Google), is working on a Dalvik compatible VM for smartphones with alternate operating systems.  Their “Alien Dalvik” virtual machine runs unmodified Android apps (non-NDK) on a non-Android phone at the same speed as an Android phone.

Alien Dalvik currently runs on a Nokia N900. Apps run at the same speed as on an Android phone with nearly identical specs. Credit: PRNewsFoto/Myriad Group AG

Given the availability of a common smartphone-based virtual machine (Dalvik on Android/Alien Dalvik on other OS) it would not surprise us if the Zeus authors eventually consolidated their mobile malware onto that single platform.  Instead of just “Angry Birds” one could also get the latest spyware or SMS Trojan.

Leave a Comment

five × 5 =