Security & Mobility Now
Security is top-of-mind everywhere, especially right here where Juniper experts share their thoughts on the latest security breakthroughs and product advancements
maggarwal

SpyEye Trojan Targets Android OS

by Juniper Employee on ‎09-22-2011 02:17 PM

Last September, the Juniper Networks Global Threat Center team uncovered the first mobile variant of the notorious ZEUS banking trojan, dubbed as "ZITMO", which was aimed at stealing online banking credentials. This version of mobile trojan targeted RIM BlackBerry devices and devices running the Nokia Symbian operating system. After a few months, a new variant of ZITMO was found targeting Microsoft Windows Mobile OS. It followed a similar approach as its predecessor, but with a difference in the mobile platform that it targeted.

 

Soon after its detection on Windows Mobile devices, the malware writers released another version of ZITMO that targeted devices running the Google Android OS. This threat was detected in July 2011 and by this time ZITMO had targeted all the major mobile platforms. Following a similar strategy, another prominent Windows Mobile OS banking trojan SpyEye, dubbed as “SPITMO” was detected on BlackBerry and Symbian OS in April 2011. Within a short span this threat resurfaced and has been found targeting the Android mobile operating system. Initial findings on this threat were disclosed by security firm Trusteer.

 

The SpyEye trojan for mobile intercepts incoming text messages and uploads them to a remote server. In comparison to recently discovered Android malware, SpyEye may be considered less offensive in terms of the data that it collects, but due to its focused task of stealing online banking credentials, it indeed carries a significant threat to the victim. It's distributed from compromised Spanish bank websites where the user is directed to install an Android application aimed at securing their device from SMS interception. Ironically, the application meant to prevent SMS interception acts as a malicious application.

 

Needless to say, it involves multiple steps before SPITMO can be installed on an Android. However, noticing the sheer determination of malware writers to gain access to the credentials, it's not too far in the future that we can expect mobile users to encounter more sophisticated variants of such mobile trojans.

 

Please note that Junos Pulse Mobile Security Suite users are already protected against this threat; it’s detected as A.Spitmo.c.

 

This article offers information on SPITMO’s covert activities on an Android device.

 

First Step:

 

The infected bank website provides the installation instructions and the URL from where SPITMO is downloaded. Figure 1 shows the screenshot of installed SPITMO on a victim's Android and the permissions requested by it. Upon installation, it hides itself from the Android dashboard, i.e. no visible icon, and it runs silently in the background. Moreover, it uses the display name “System”, which seems like a legitimate Android system application.

 

spitmoinstalled.jpg

 

Figure 1: SPITMO installed on Android and permissions requested by it

 

 

Second Step:

After installation the user is instructed to dial "325000" to activate the application. The call is intercepted by the application and it shows a hard-coded registration number to the user, which the user must enter on the infected site to complete the installation. This activity is shown in Figure 2, whereas Figure 3 shows the code snippet that performs the abovementioned activity.

 

figure2.jpg

 

Figure 2: User activating SPITMO on Android

 

codesnippet.jpg

 

Figure 3: Code snippet that performs the above operation

 

The above two steps summarize the installation of SPITMO and hereafter it runs in the background to intercept incoming text messages. In order to follow along with the background operation of SPITMO on Android, we setup two Android emulators; one is infected with SPITMO and the other emulator is used to send text messages to the infected emulator. Figure 4 shows the text conversation between the two emulators.

 

figure4.jpg

 

Figure 4: Text conversation between two Android emulators.

 

The following code snippet shows the interception of the incoming text messages by SPITMO. The sender's number along with the text is passed as a parameter to a method called "performAction(, ,)", which uploads the contents of the message to a remote server. The code snippet of “performAction(,,)” method is shown in Figure 6.

 

figure5.jpg

 

Figure 5: Code that intercepts SMS messages

 

figure6.jpg

 

Figure 6: Code that uploads the intercepted SMS messages to a remote server

 

The SPITMO trojan utilizes four remote servers to ensure that an intercepted SMS message is uploaded to one of the servers; this offers additional robustness to it. Figure 7 shows the URL’s of the remote servers to which SPITMO attempts to upload the SMS messages.

 

figure7.jpg

 

Figure 7: Remote server URL’s hardcoded in "Settings.xml" in the asset folder

 

At the time of this analysis of SPITMO, all the servers were down. Hence I used "fakedns" script to resolve all the DNS queries to the local machine and launched "netcat" on port 80 to listen to all the incoming connections as shown in Figure 8 and Figure 9.

 

figure8.jpg

 

Figure 8: Fakedns script resolves DNS requests

 

Figure 9 shows the captured traffic on port 80 that contains the incoming text message along with the sender's and receiver's phone numbers. Surprisingly, SPITMO not only intercepts, but hijacks the incoming text messages. The native SMS application on an infected Android device does not receive any inbound messages. Even though it stays hidden on the Android device, this peculiar behavior could aid in its detection.

 

figure9.png

 

Concluding Remarks

 

SPITMO is not found on the official Android Market and it’s not yet considered to be a widespread threat on Android OS. However, considering the rapid growth in mobile malware, the Juniper Networks Global Threat Center suggests:

 

  • Practice due diligence before downloading applications.
  • Restrict your download of applications to those only from trusted and reputable sources.
  • Before hitting the “Install” button, pay careful and close attention to the permissions requested by the app you’re downloading and, if the permissions don’t make sense for the type of app being downloaded, don’t download it!
  • Be wary of unusual activity on your mobile device and protect the integrity of your data by installing antivirus and antimalware applications.

And, as mentioned previously, Junos Pulse Mobile Security Suite users are already protected against this threat.

 

 

 

Comments
by Cygnis Media(anon) on ‎10-10-2012 04:51 AM

I agree. Would you trust a security company that works on assumptions, rather than fact. Silly article really

regard:

Cygnis Media

Post a Comment
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
About Security & Mobility Now

Discussing a wide range of topics impacting enterprises and
data center security.

Subscribe RSS Icon

Our Bloggers

Kyle Adams
Senior Software Engineer

Profile | Subscribe

Ritesh Agrawal
Director
Software Engineering

Profile | Subscribe

Erin K. Banks
Senior Technical Marketing Manager

Profile | Subscribe

Ajay Bharadwaj
Product Manager

Profile | Subscribe

Michael Callahan
Vice President
Product Marketing

Profile | Subscribe

Scott Emo
Director
Product Marketing

Profile | Subscribe

Mora Gozani
Senior Manager
Product Marketing

Profile | Subscribe

Ashur Kanoon
Sr. Manager
Technical Marketing

Profile | Subscribe

Seema Kathuria
Manager
Product Marketing

Profile | Subscribe

Kevin Kennedy
Senior Director
Product Management

Profile | Subscribe

Dave Killion
Software Engineer

Profile | Subscribe

Rebecca Lawson
Senior Director
Product Marketing

Profile | Subscribe

Rajoo Nagar
Senior Manager
Product Marketing

Profile | Subscribe

Erin O'Malley
Manager
Product Marketing

Profile | Subscribe

Galina Pildush
Strategy & Planning
Architect

Profile | Subscribe

Edward Roberts
Director
Product Marketing

Profile | Subscribe

Bill Shelton
Director Field Sales

Profile | Subscribe

Ashutosh Thakur
Product Line Manager

Profile | Subscribe

Troy Vennon
Software Engineer

Profile | Subscribe

Brad Woodberg
Product Manager

Profile | Subscribe

Labels
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.