Security Experts:

Researchers Identify Four BlackBerry Zitmo Variants

Security researchers have identified new Zeus malware samples targeting Android and BlackBerry devices.

Despite its significant user base within enterprises, BlackBerry devices have managed to stay off the radar for malware writers. That may be ending, as Kaspersky Lab recently analyzed four new Zeus-in-the-mobile (Zitmo) samples targeting BlackBerry users in Germany, Spain, and Italy, Denis Maslennikov, a researcher at Kaspersky Lab wrote on the company's Securelist blog. These variants were communicating with two command-and-control cell phone numbers associated with a Swedish mobile operator.

Zitmo Malware Infects BlackBerry DevicesZitmo refers to a version of the Zeus malware that specifically targets mobile devices. Previous Zitmos variants masqueraded as banking security applications or security add-ons to circumvent out-of-band authentication systems used by some financial institutions by intercepting one-time passwords sent via text message and forwarding it to a another cell number that acted as a command-and-control device.

"Yes, finally we've got a ZitMo dropper file for BlackBerry," Maslennikov wrote.

The samples were three .cod files and one .jar file with a .cod file inside. The BlackBerry variants didn't have any major differences from other Zitmo versions in the wild, other than grammatical corrections, Maslennikov said. The list of commands used by the malware remained the same, according to the blog post.

Maslennikov also identified a new Zitmo variant for Android using the same command and control (C&C) numbers as the BlackBerry versions. While previous Android variants have been primitive, the latest.apk dropper, which shows up as an app "Zertifikat," looks "more similar to 'classic'" Zitmo, he said. When executed, it displays a message in German that the installation was successful, along with an activation code.

The Android sample and the BlackBerry samples appear to share the same message within the code, Maslennikov said. The Android sample also included a self-issued certificate that indicates it was developed less than a month ago, he said.

"It's not that often when we hear/find new wave of Zeus-in-the-mobile (or SpyEye-in-the-mobile) attack," Maslennikov wrote.

Compared to other mobile platforms, including iOS, Android, Windows Phone and Symbian, BlackBerry has avoided being a big target despite its significant install base amongst enterprises and government agencies. Even so, Research in Motion, the company behind this mobile platform, has not been sitting back and taking it easy, Adrian Stone, director of security response at RIM, told SecurityWeek at the recent Black Hat security conference in Las Vegas. The company has been "opening up dialogue with researchers" and encouraging communication between the researchers and engineers to discuss vulnerabilities and issues in the platform, Stone said.

Collaborating on research is important because the vulnerability doesn't have to be within BlackBerry's code to compromise the platform, Stone noted. For example, researchers exploited issues in the open source browser engine Webkit to hack a BlackBerry last year's CanSecWest Pwn2Own contest. It's about "protecting the ecosystem," as one vulnerability identified in one platform can easily exist in another platform, Stone said.

Subscribe to the SecurityWeek Email Briefing
view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.