Over the weekend, researchers from Fortinet and S21cec came across a new mobile malware piece they have named SymbOS/Zitmo.A!tr, or “Zitmo,” standing for “Zeus In The Mobile.” As two-factor authentication methods become more popular, cybercriminals are working hard to keep up and develop technologies that let them further track and capture user credentials. The Zitmo malware was designed to intercept confirmation SMS messages sent by banks to their customers.
In order to successfully overcome two-factor authentication, the attacker steals login credentials using the traditional ZeuS malware. The attacker also captures the phone number and model of the users mobile device via injection of HTML forms in the victims’ browser. Based on that info, it encourages users to install mobile malware, by sending a SMS with a link to download the appropriate version of the malicious package depending on the type of mobile device the user has.
Next, the attacker logs in with the stolen credentials using the user's computer as a proxy and performs the SMS authentication process. An SMS is sent to the user's mobile device with the authentication code. The malicious software running on the user’s mobile device forwards the SMS to a system controlled by the attacker.
After analyzing the malware, Fortinet noted that it creates its own database on the mobile device, where it stores all information it steals. This database is named NumbersDB.db, and contains 3 tables:
• tbl_contact with 4 columns: index, name, descr, pb_contact_id.
• tbl_phone_number with 2 columns: contact_id, phone_number
• and tbl_history with 6 columns: event_id, pn_id, date, description, contact_info, contact_id.
The malware searches those tables using standard SQL queries. The malware sends SMS messages. In particular, it sends a message to a phone number located in the United Kingdom to notify that the malware has been successfully installed (”App installed ok”). "27/09/2010","12:09","Short message","Outgoing","App installed ok","+44778xxxxxxx"
Additionally, s21sec warns that the malware appears to have the capability to answer commands, potentially allowing anyone sending a “set admin” SMS to your infected phone may to take control of it.