Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Researchers Identify Four BlackBerry Zitmo Variants

Security researchers have identified new Zeus malware samples targeting Android and BlackBerry devices.

Security researchers have identified new Zeus malware samples targeting Android and BlackBerry devices.

Despite its significant user base within enterprises, BlackBerry devices have managed to stay off the radar for malware writers. That may be ending, as Kaspersky Lab recently analyzed four new Zeus-in-the-mobile (Zitmo) samples targeting BlackBerry users in Germany, Spain, and Italy, Denis Maslennikov, a researcher at Kaspersky Lab wrote on the company’s Securelist blog. These variants were communicating with two command-and-control cell phone numbers associated with a Swedish mobile operator.

Zitmo Malware Infects BlackBerry DevicesZitmo refers to a version of the Zeus malware that specifically targets mobile devices. Previous Zitmos variants masqueraded as banking security applications or security add-ons to circumvent out-of-band authentication systems used by some financial institutions by intercepting one-time passwords sent via text message and forwarding it to a another cell number that acted as a command-and-control device.

“Yes, finally we’ve got a ZitMo dropper file for BlackBerry,” Maslennikov wrote.

The samples were three .cod files and one .jar file with a .cod file inside. The BlackBerry variants didn’t have any major differences from other Zitmo versions in the wild, other than grammatical corrections, Maslennikov said. The list of commands used by the malware remained the same, according to the blog post.

Maslennikov also identified a new Zitmo variant for Android using the same command and control (C&C) numbers as the BlackBerry versions. While previous Android variants have been primitive, the latest.apk dropper, which shows up as an app “Zertifikat,” looks “more similar to ‘classic’” Zitmo, he said. When executed, it displays a message in German that the installation was successful, along with an activation code.

The Android sample and the BlackBerry samples appear to share the same message within the code, Maslennikov said. The Android sample also included a self-issued certificate that indicates it was developed less than a month ago, he said.

“It’s not that often when we hear/find new wave of Zeus-in-the-mobile (or SpyEye-in-the-mobile) attack,” Maslennikov wrote.

Compared to other mobile platforms, including iOS, Android, Windows Phone and Symbian, BlackBerry has avoided being a big target despite its significant install base amongst enterprises and government agencies. Even so, Research in Motion, the company behind this mobile platform, has not been sitting back and taking it easy, Adrian Stone, director of security response at RIM, told SecurityWeek at the recent Black Hat security conference in Las Vegas. The company has been “opening up dialogue with researchers” and encouraging communication between the researchers and engineers to discuss vulnerabilities and issues in the platform, Stone said.

Advertisement. Scroll to continue reading.

Collaborating on research is important because the vulnerability doesn’t have to be within BlackBerry’s code to compromise the platform, Stone noted. For example, researchers exploited issues in the open source browser engine Webkit to hack a BlackBerry last year’s CanSecWest Pwn2Own contest. It’s about “protecting the ecosystem,” as one vulnerability identified in one platform can easily exist in another platform, Stone said.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.