BlackBerry Hit By Zeus Banking Trojan

With so many reports of Android and iPhone malware, it was only a matter of time before a BlackBerry variant emerged.

A variant of the Zeus banking Trojan targeting BlackBerry smartphones was detected by security researchers at Trend Micro. With more users using their phones to get up-to-date alerts on their bank account balances, to add funds, or to receive password hints, mobile malware has become a lucrative attack vector for cyber-criminals, wrote threat analyst Patrick Estavillo on TrendLabs blog on 4 March.

Flying under the radar

The BlackBerry Zitmo flies under the user’s radar because it does not have a graphical user interface, and it can remove itself from the list of applications attackers, Estavillo said. Mobile banking users unaware of the infection on their phone would be inadvertently giving away their bank account information.

Once the mobile Zeus has been installed on the smartphone, it sends a confirmation message to the remote administrator at the command-and-control server that it is ready to receive commands. The confirmation message reads “App Installed OK”, and is sent to a phone number in the United Kingdom, Estavillo said.

Considered by security experts to be one of the most sophisticated Trojans, Zeus originally installed keyloggers on user desktops to steal login credentials as they were entered on banking sites. Many banks switched to two-factor authentication to thwart the Trojan, since the one-time passcodes, sent by SMS message to the user’s phones, expire as soon as they are used. The Zitmo variant intercepts the passcodes by forwarding all SMS messages to the remote attacker.

Zitmo forwards all messages on to the remote administrator and can also delete and drop incoming SMS messages so that the user never sees the messages sent from the hacker, Estavillo said. It can power the phone on or off and display messages that look like real SMS messages. The Trojan can also block specific phone numbers or incoming calls in general and remove the blocked call from history so that the user again remains unaware of any calls blocked. It can also create and remove administrator accounts on the phone.

The administrator can remotely change the phone number to which BlackBerry Zitmo forwards all incoming SMS messages. If the original number is unavailable or taken down by authorities, the remote attacker can send a command to all infected phones that changes the administrator phone number, ensuring that the attackers continue receiving all forwarded messages.

Silent install

Trend Micro researchers have identified variants targeting Nokia’s Symbian OS and Windows Mobile. The Trojan is silently installed when users go to a malicious website from their mobile browsers, or when downloading applications that have the Trojan packaged inside. Once installed, uses see a prompt to install a critical software update that was necessary to keep being able to receive mobile banking alerts on their phone. A Zitmo variant targeted ING customers in Poland late last month.

Researchers have long warned that mobile malware would become more sophisticated as smartphones became more popular and powerful. With the latest round of malicious applications found on Android Market and a number of iPhone malware prototypes, all mobile users need to exercise more caution clicking on links to unfamiliar websites or downloading applications on to the phone, Estavillo said.