Zitmo trojan for Android defeats two-factor authentication

Posted by   Virus Bulletin on   Jul 11, 2011

Malware intercepts TANs sent via SMS.

A new variant of the Zitmo trojan has been discovered that infects mobile devices running the Android platform and which intercepts SMS messages from banks sending mobile TAN numbers, thus potentially defeating two-factor authentication.

Two-factor authentication is used by many banks to prevent a customer's online banking account being compromised by password theft. One common way for it to work is for the customer to be required to enter both their password and a 'Transaction Authentication Number' (TAN) - which is sent to their mobile device via SMS - in order to complete a transaction. This is considered to be more secure as it is deemed unlikely that criminals would be able both to steal passwords and have access to the user's mobile device.

However, it is certainly not impossible - as the Zitmo trojan (first discovered in September 2010 for Symbian devices) shows. The trojan co-operates with the ZeuS crime kit (Zitmo stands for 'Zeus In The MObile'): when a user who is infected with ZeuS visits one of a number of particular websites, code is injected into the session, prompting the user to enter their mobile number as well as the model of the device. An SMS is then sent to that number with a link to the malicious application, which is a Zitmo variant targeting that particular operating system.

The combination of ZeuS, which steals the user's login credentials for the online banking system, and Zitmo, which intercepts mobile TANs, gives the criminals effective control of the user's bank account.

Two-factor authentication should still be a minimum requirement for online banking, but neither banks nor their customers should assume that this makes the systems undefeatable.

More at Fortinet's blog here and at CSIS;'s blog here. Fortinet's Axelle Apvrille and Kyle Yang wrote a two-part analysis of Zitmo for the March and April editions of Virus Bulletin (subscription required).

Axelle Apvrille will give a presentation on analysing mobile malware at VB2011 later this year. The conference takes place 5-7 October in Barcelona. Registration for the event is now open.

Posted on 11 July 2011 by Virus Bulletin

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

New paper: LokiBot: dissecting the C&C panel deployments

First advertised as an information stealer and keylogger when it appeared in underground forums in 2015, LokiBot has added various capabilities over the years and has affected many users worldwide. In a new paper researcher Aditya Sood analyses the…

VB2019 presentation: Building secure sharing systems that treat humans as features not bugs

In a presentation at VB2019 in London, Virtru's Andrea Limbago described how, by exploring data sharing challenges through a socio-technical lens, it is possible to make significant gains toward the secure sharing systems and processes that are vital…

VB2019 presentation: Attor: spy platform with curious GSM fingerprinting

Attor is a newly discovered cyber-espionage platform, use of which dates back to at least 2014 and which focuses on diplomatic missions and governmental institutions. Details of Attor were presented at VB2019 in London by ESET researcher Zuzana…

Why we encourage newcomers and seasoned presenters alike to submit a paper for VB2020

With the call for papers for VB2020 currently open, we explain why, whether you've never presented before or you're a conference circuit veteran, if you have some interesting research to share with the community we want to hear from you!

VB2019 paper: The cake is a lie! Uncovering the secret world of malware-like cheats in video games

At VB2019 in London, Kaspersky researcher Santiago Pontiroli presented a paper on the growing illegal economy around video game cheats and its parallels with the malware industry. Today we publish both Santiago's paper and the recording of his…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.