Mobiles used by Zeus as SMS messages are used to deliver one time passwords

Warnings have been made of a new mobile threat which uses an SMS message to spread the Zeus Trojan.

Security firm S21sec called the attack ‘a better alternative planned by a Zeus gang' as it allows the attacker to infects the user's mobile device by forcing them to install a malicious application by sending a SMS with a link to the malicious mobile application. This is marked as a software update.

This then allows the attacker to login with the stolen credentials using the user's computer as a proxy and perform a specific operation that needs SMS authentication.

S21sec's David Barroso claimed that the Trojan will ask the user for new details such as mobile vendor, model and phone number and once the information has been filled in, an SMS will be sent to the mobile device with a link to download the new security certificate - the malicious application.

Further analysis found that the application that the user installs an application that monitors all the incoming SMS messages and it installs a backdoor to receive commands via SMS. One application for the Symbian S60 has the name 'Nokia update'.

Barroso said that the malware uses social engineering in different levels, as in the infection method an SMS is sent with a link to a 'new security certificate'; a mobile application is used so users will not be suspicious of a software update. Also with the manipulation of contacts/agenda, as users can add or change new contacts in the mobile device, making any calls or SMS more trustworthy.

“We are working with mobile carriers to help them to detect infected devices. Mobile carriers are the key actors in this incident, just because they are the only ones that can detect which devices are infected and block all the connections to/from the mobile command and control. Although we cannot state that it is a really advanced malicious application, it really works, and the thin line between PC and mobile malware is thinner than ever,” he said.

Detection by Fortinet said that it is logical to believe that it is aimed at defeating SMS-based two-factor authentication that most banks implement today to confirm transfers of funds initiated online by their end users.

It said that the malware is not ‘unexpected' because it anticipated that someone would use web servers to distribute platform-specific malware to victims. "Yet, it is the first time we acknowledge the technique to be used by a real gang", said Axelle Apvrille, senior computer security engineer at Fortinet.

Simeon Coney, VP of business development and strategy at AdaptiveMobile, said that in the 12-13 months that it has been around, Zeus has shown itself to be particularly sophisticated.

He said: “What is interesting here is that this is the first time an attack has been set to defeat two factor authentication. Symbian and Blackberry are being targeted and it will install software, and that is why the iPhone is not being targeted as users have to go through iTunes.

"This is not a mobile phone bug, it is using SMS for a one-time password as banks do offer a two-factor authentication via SMS as they don't want the cost of a token. This is targeting UK banks but I expect it will target any bank in the world or any industry.”

Alex Fidgen, director at MWR Labs told SC Magazine that what is different from the exploits highlighted by the company recently is that this does not use a vulnerability in the handset as it will ask them to use a certificate and to install an application on the phone, then the Trojan starts working.

He said: “I cannot see that the attack will affect many users but they should be aware but as there is no vulnerability and no user authentication required, we can see huge problems. This reminds me of what we have seen in desktop security ages ago where a .exe file was attached but most users were aware that it is not a good idea to open it,  but we see people exploiting application vulnerabilities without user interaction and we will see similar trends in the future.”

David Divitt, fraud and risk solutions consultant at ACI Worldwide, said: “The attack method currently seems to use the mobile phone as a forwarding device for any one time password that is delivered to the customer.

“It's unclear whether or not the mobile phone hack would hide the incoming SMS from the customer, however if it doesn't, then if banks ensure they include relevant transaction details in the SMS - amount, and beneficiary - it could allow the legitimate customer to detect that something has gone wrong prior to money being lost.

“However, if this is the beginning of these types of attacks, we can be sure that the sophistication will also ramp-up as time passes. It's easy to imagine a few other tricks that could be implemented in the mobile phone side of the attack to further mask the attack. Banks need to keep on top of these threats by maximising the technology they use in out-of-band communication and not simply using it as a basic notification service.”

Sign up to our newsletters