Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Researchers Identify Four BlackBerry Zitmo Variants

Security researchers have identified new Zeus malware samples targeting Android and BlackBerry devices.

Security researchers have identified new Zeus malware samples targeting Android and BlackBerry devices.

Despite its significant user base within enterprises, BlackBerry devices have managed to stay off the radar for malware writers. That may be ending, as Kaspersky Lab recently analyzed four new Zeus-in-the-mobile (Zitmo) samples targeting BlackBerry users in Germany, Spain, and Italy, Denis Maslennikov, a researcher at Kaspersky Lab wrote on the company’s Securelist blog. These variants were communicating with two command-and-control cell phone numbers associated with a Swedish mobile operator.

Zitmo Malware Infects BlackBerry DevicesZitmo refers to a version of the Zeus malware that specifically targets mobile devices. Previous Zitmos variants masqueraded as banking security applications or security add-ons to circumvent out-of-band authentication systems used by some financial institutions by intercepting one-time passwords sent via text message and forwarding it to a another cell number that acted as a command-and-control device.

“Yes, finally we’ve got a ZitMo dropper file for BlackBerry,” Maslennikov wrote.

The samples were three .cod files and one .jar file with a .cod file inside. The BlackBerry variants didn’t have any major differences from other Zitmo versions in the wild, other than grammatical corrections, Maslennikov said. The list of commands used by the malware remained the same, according to the blog post.

Maslennikov also identified a new Zitmo variant for Android using the same command and control (C&C) numbers as the BlackBerry versions. While previous Android variants have been primitive, the latest.apk dropper, which shows up as an app “Zertifikat,” looks “more similar to ‘classic'” Zitmo, he said. When executed, it displays a message in German that the installation was successful, along with an activation code.

The Android sample and the BlackBerry samples appear to share the same message within the code, Maslennikov said. The Android sample also included a self-issued certificate that indicates it was developed less than a month ago, he said.

“It’s not that often when we hear/find new wave of Zeus-in-the-mobile (or SpyEye-in-the-mobile) attack,” Maslennikov wrote.

Compared to other mobile platforms, including iOS, Android, Windows Phone and Symbian, BlackBerry has avoided being a big target despite its significant install base amongst enterprises and government agencies. Even so, Research in Motion, the company behind this mobile platform, has not been sitting back and taking it easy, Adrian Stone, director of security response at RIM, told SecurityWeek at the recent Black Hat security conference in Las Vegas. The company has been “opening up dialogue with researchers” and encouraging communication between the researchers and engineers to discuss vulnerabilities and issues in the platform, Stone said.

Collaborating on research is important because the vulnerability doesn’t have to be within BlackBerry’s code to compromise the platform, Stone noted. For example, researchers exploited issues in the open source browser engine Webkit to hack a BlackBerry last year’s CanSecWest Pwn2Own contest. It’s about “protecting the ecosystem,” as one vulnerability identified in one platform can easily exist in another platform, Stone said.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.