Ten months ago we’ve published an article about ZeuS-in-the-Mobile which contains an overview of everything we knew about ZitMo at that moment. The paper finishes with the following prediction: ‘they [attacks involving ZitMo] will become more specifically targeted against a smaller number of victims’. This prediction appears to have been correct. It’s not that often when we hear/find new wave of ZeuS-in-the-Mobile (or SpyEye-in-the-Mobile) attack. So every new piece of information about these types of malware and/or attacks involving them is very important and helps to understand the evolution of one of the most interesting threats in mobile space so far. Just a small reminder: ZeuS-in-the-Mobile is almost 2 years old. And this blog is about new samples (and probably new wave of attack)) of ZitMo for Android and Blackberry.

New samples overview

We’ve got 5 new files of ZitMo: 4 for Blackberry and 1 for Android. As you may know, the Blackberry platform has never been actively targeted by malware. And here we have 4 different samples of ZeuS-in-the-Mobile for Blackberry at once: 3 .cod files and 1 .jar file (with one more .cod inside). Yes, finally we’ve got a ZitMo dropper file for Blackberry.

As for Android, there is only one .apk dropper. But this ZeuS-in-the-Mobile for Android has been modified and now looks like a ‘classic’ ZitMo with same commands and logic.

Countries and C&C numbers

All samples of ZitMo we’ve seen so far target users from various European countries (Spain, Poland, Germany, etc). This case is no exception. Here is a list of countries from which users are threatened by new ZeuS-in-the-Mobile with C&C number from the sample.

Blackberry:

Germany +46769436094

Spain +46769436073

Italy +46769436073

Spain +46769436073

Android

Germany +46769436094

To summarize, there are 3 countries (Germany, Spain and Italy) and 2 C&C numbers (both are Swedish). We found out that these cell phone numbers belong to Tele2 mobile operator in Sweden.

ZitMo for Blackberry

The analysis of new Blackberry ZitMo files showed that there are no major changes. Virus writers finally fixed grammar mistake in the ‘App Instaled OK’ phrase, which is sent via SMS to C&C cell phone number when smartphone has been infected. Instead of ‘BLOCK ON’ or ‘BLOCK OFF’ commands (blocking or unblocking all incoming and outgoing calls) now there are ‘BLOCK’ and ‘UNBLOCK’ commands. Other commands which are received via SMS remain the same. You can find the list of these commands and their meanings here.

ZitMo for Android

There is no surprise that ZitMo for Android posses itself as an app with ‘Zertificat’ (com.security.service) name. Various ZeuS-in-the-Mobile versions pretended to be ‘certificate update’ or ‘security’ apps.

ZitMo ‘Zertificat’ after installation

If user launches malicious app he will see a pop up text in German:

‘Installation successful. Your activation code 7725486193’

After clicking ‘OK’ button this pop up will disappear but malicious app will continue to work in a background. It is highly important to mention that absolutely the same message is stored in one of Blackberry samples:

The situation with new Android ZitMo file differs from Blackberry. From our previous papers and blogs about ZitMo you can find out that ZeuS-in-the-Mobile for Android is far more primitive than versions for other platforms like Symbian, Windows Mobile or Blackberry. But in this case the situation has changed and ZitMo for Android became more similar to ‘classic’ ZeuS-in-the-Mobile samples.

Let’s take a look on a list of string constants stored in Constant.class file.

You may notice some strings like ‘on’ (enable malware), ‘off’ (disable malware), ‘set admin’ (change C&C cell phone number) which seem familiar. These are SMS commands which may be sent to a device infected by ZitMo from C&C cell phone number. Comparing to ZeuS-in-the-Mobile versions for other platforms the list of commands is shorter.

But the virus writers have added something new. There are 4 variables at the end of the list: RESPONSE_INIT, RESPONSE_OFF, RESPONSE_ON, RESPONSE_SET_ADMIN with ‘INOK’, ‘OFOK’, ‘ONOK’ and ‘SAOK’ values respectively. In case of successful execution of one of the commands (‘on’, ‘off’, ‘set admin’) malware will send a response SMS (‘ONOK’, ‘OFOK’, ‘SAOK’). And ‘INOK’ SMS is sent after successful infection together with C&C number (an analogue of ‘App Installed OK’ SMS from other ZitMo versions).

‘OFOK’ and ‘ONOK’ sending routines

The main functionality of ZitMo remains the same: forwarding all incoming SMS messages to C&C number. All versions of Android ZeuS-in-the-Mobile (including this one) continue to forward all messages from all numbers instead of specific ones from a bank. The format of outgoing SMS to C&C is the following:

message {SMS message body}. F:{SMS sender}

New wave of attack?

There is one last but not the least detail. A new set of ZitMo samples doesn’t prove that it’s a new wave of ZitMo attacks. But there’s one indirect proof that we’re dealing with new wave of ZitMo attacks. Here is a piece of information from CERT.RSA file from ZeuS-in-the-Mobile for Android .apk file:

It’s a self issued certificate which suggests that at least the Android application was developed less than a month ago.