A new variant of SpyEye that targets Android devices has been detected.
According to Trusteer, ‘DriodOS/Spitmo' is "virtually undetectable" and has shifted its delivery and infection methods. Amit Klein, CTO at Trusteer, said it infects devices when users download a rogue mandatory security measure. He said this is disguised as an Android application that claims to protect the phone's SMS messages from being intercepted and the user against fraud.
“Once the user clicks on ‘set the application', they are given further instructions to walk them though downloading and installing the application,” Klein explained. “To complete the installation, the user is instructed to dial a number; this is intercepted by the Android malware and an activation code is presented, to be submitted later to the website. Besides concealing the true nature of the application, this ‘activation code' does not serve any legitimate purpose.”
Amit said: “This attack is yet to gain momentum, but that's just a matter of time. This is a very real early warning and I'm pretty sure it's only just started. What makes all of this so scary is that the application is not visible on the device's dashboard, making it virtually undetectable, so users are not aware of its presence and will struggle to get rid of it.”
Symantec first discovered SpyEye in February 2010 and classified it as a Trojan "that may steal information from the compromised computer" and that specifically affects the Windows OS. Symantec said the SpyEye toolkit is similar to Zeus in that it contains a builder module for creating the Trojan bot executable with a configuration file, and a web control panel for command and control of a botnet.
Spitmo was initially detected by F-Secure in April when a variant was used in an attack against a European bank - the Trojan added question fields to the bank's website, asking customers to enter their mobile phone number and the device's IMEI.
Sean Sullivan, security advisor at F-Secure, said: “Spitmo.A contains the malicious executable (sms.exe) and another installer, which contains an executable named SmsControl.exe. SmsControl.exe will just display the message ‘Die Seriennummer des Zertifikats: Ü88689-1299F' to fool the user into thinking that the installer was indeed a certificate.
“The name SmsControl.exe is quite a coincidence, as a variant of ZeusMitmo used the same name for the file containing the Trojan. Faking the Trojan to be a certificate is also a trick that ZeusMitmo has used. However, the code itself looks completely different than in ZeusMitmo.”
It was suspected last November that Zeus and SpyEye had merged, while Peter Kruse, partner and security specialist at CSIS Security Group, said in March that there was unconfirmed reports that the Zeus code had been sold to the creator of SpyEye.