Last September, the Juniper Networks Global Threat Center team uncovered the first mobile variant of the notorious ZEUS banking trojan, dubbed as "ZITMO", which was aimed at stealing online banking credentials. This version of mobile trojan targeted RIM BlackBerry devices and devices running the Nokia Symbian operating system. After a few months, a new variant of ZITMO was found targeting Microsoft Windows Mobile OS. It followed a similar approach as its predecessor, but with a difference in the mobile platform that it targeted.

Soon after its detection on Windows Mobile devices, the malware writers released another version of ZITMO that targeted devices running the Google Android OS. This threat was detected in July 2011 and by this time ZITMO had targeted all the major mobile platforms. Following a similar strategy, another prominent Windows Mobile OS banking trojan SpyEye, dubbed as “SPITMO” was detected on BlackBerry and Symbian OS in April 2011. Within a short span this threat resurfaced and has been found targeting the Android mobile operating system. Initial findings on this threat were disclosed by security firm Trusteer.

The SpyEye trojan for mobile intercepts incoming text messages and uploads them to a remote server. In comparison to recently discovered Android malware, SpyEye may be considered less offensive in terms of the data that it collects, but due to its focused task of stealing online banking credentials, it indeed carries a significant threat to the victim. It's distributed from compromised Spanish bank websites where the user is directed to install an Android application aimed at securing their device from SMS interception. Ironically, the application meant to prevent SMS interception acts as a malicious application.

Needless to say, it involves multiple steps before SPITMO can be installed on an Android. However, noticing the sheer determination of malware writers to gain access to the credentials, it's not too far in the future that we can expect mobile users to encounter more sophisticated variants of such mobile trojans.

Please note that Junos Pulse Mobile Security Suite users are already protected against this threat; it’s detected as A.Spitmo.c.

This article offers information on SPITMO’s covert activities on an Android device.

First Step:

The infected bank website provides the installation instructions and the URL from where SPITMO is downloaded. Figure 1 shows the screenshot of installed SPITMO on a victim's Android and the permissions requested by it. Upon installation, it hides itself from the Android dashboard, i.e. no visible icon, and it runs silently in the background. Moreover, it uses the display name “System”, which seems like a legitimate Android system application.

Figure 1: SPITMO installed on Android and permissions requested by it

Second Step:

After installation the user is instructed to dial "325000" to activate the application. The call is intercepted by the application and it shows a hard-coded registration number to the user, which the user must enter on the infected site to complete the installation. This activity is shown in Figure 2, whereas Figure 3 shows the code snippet that performs the abovementioned activity.

Figure 2: User activating SPITMO on Android

Figure 3: Code snippet that performs the above operation

The above two steps summarize the installation of SPITMO and hereafter it runs in the background to intercept incoming text messages. In order to follow along with the background operation of SPITMO on Android, we setup two Android emulators; one is infected with SPITMO and the other emulator is used to send text messages to the infected emulator. Figure 4 shows the text conversation between the two emulators.

Figure 4: Text conversation between two Android emulators.

The following code snippet shows the interception of the incoming text messages by SPITMO. The sender's number along with the text is passed as a parameter to a method called "performAction(, ,)", which uploads the contents of the message to a remote server. The code snippet of “performAction(,,)” method is shown in Figure 6.

Figure 5: Code that intercepts SMS messages

Figure 6: Code that uploads the intercepted SMS messages to a remote server

The SPITMO trojan utilizes four remote servers to ensure that an intercepted SMS message is uploaded to one of the servers; this offers additional robustness to it. Figure 7 shows the URL’s of the remote servers to which SPITMO attempts to upload the SMS messages.

Figure 7: Remote server URL’s hardcoded in "Settings.xml" in the asset folder

At the time of this analysis of SPITMO, all the servers were down. Hence I used "fakedns" script to resolve all the DNS queries to the local machine and launched "netcat" on port 80 to listen to all the incoming connections as shown in Figure 8 and Figure 9.

Figure 8: Fakedns script resolves DNS requests

Figure 9 shows the captured traffic on port 80 that contains the incoming text message along with the sender's and receiver's phone numbers. Surprisingly, SPITMO not only intercepts, but hijacks the incoming text messages. The native SMS application on an infected Android device does not receive any inbound messages. Even though it stays hidden on the Android device, this peculiar behavior could aid in its detection.

Concluding Remarks

SPITMO is not found on the official Android Market and it’s not yet considered to be a widespread threat on Android OS. However, considering the rapid growth in mobile malware, the Juniper Networks Global Threat Center suggests:

• Practice due diligence before downloading applications.
• Restrict your download of applications to those only from trusted and reputable sources.
• Before hitting the “Install” button, pay careful and close attention to the permissions requested by the app you’re downloading and, if the permissions don’t make sense for the type of app being downloaded, don’t download it!
• Be wary of unusual activity on your mobile device and protect the integrity of your data by installing antivirus and antimalware applications.

And, as mentioned previously, Junos Pulse Mobile Security Suite users are already protected against this threat.