BlackBerry Hit By Zeus Banking Trojan

With so many reports of Android and iPhone malware, it was only a matter of time before a BlackBerry variant emerged.

A variant of the Zeus banking Trojan targeting BlackBerry smartphones was detected by security researchers at Trend Micro. With more users using their phones to get up-to-date alerts on their bank account balances, to add funds, or to receive password hints, mobile malware has become a lucrative attack vector for cyber-criminals, wrote threat analyst Patrick Estavillo on TrendLabs blog on 4 March.

Flying under the radar

The BlackBerry Zitmo flies under the user’s radar because it does not have a graphical user interface, and it can remove itself from the list of applications attackers, Estavillo said. Mobile banking users unaware of the infection on their phone would be inadvertently giving away their bank account information.

Once the mobile Zeus has been installed on the smartphone, it sends a confirmation message to the remote administrator at the command-and-control server that it is ready to receive commands. The confirmation message reads “App Installed OK”, and is sent to a phone number in the United Kingdom, Estavillo said.

Considered by security experts to be one of the most sophisticated Trojans, Zeus originally installed keyloggers on user desktops to steal login credentials as they were entered on banking sites. Many banks switched to two-factor authentication to thwart the Trojan, since the one-time passcodes, sent by SMS message to the user’s phones, expire as soon as they are used. The Zitmo variant intercepts the passcodes by forwarding all SMS messages to the remote attacker.

Zitmo forwards all messages on to the remote administrator and can also delete and drop incoming SMS messages so that the user never sees the messages sent from the hacker, Estavillo said. It can power the phone on or off and display messages that look like real SMS messages. The Trojan can also block specific phone numbers or incoming calls in general and remove the blocked call from history so that the user again remains unaware of any calls blocked. It can also create and remove administrator accounts on the phone.

The administrator can remotely change the phone number to which BlackBerry Zitmo forwards all incoming SMS messages. If the original number is unavailable or taken down by authorities, the remote attacker can send a command to all infected phones that changes the administrator phone number, ensuring that the attackers continue receiving all forwarded messages.

Silent install

Trend Micro researchers have identified variants targeting Nokia’s Symbian OS and Windows Mobile. The Trojan is silently installed when users go to a malicious website from their mobile browsers, or when downloading applications that have the Trojan packaged inside. Once installed, uses see a prompt to install a critical software update that was necessary to keep being able to receive mobile banking alerts on their phone. A Zitmo variant targeted ING customers in Poland late last month.

Researchers have long warned that mobile malware would become more sophisticated as smartphones became more popular and powerful. With the latest round of malicious applications found on Android Market and a number of iPhone malware prototypes, all mobile users need to exercise more caution clicking on links to unfamiliar websites or downloading applications on to the phone, Estavillo said.

Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

56 mins ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

4 hours ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

5 hours ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

21 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

23 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

1 day ago