Believe two-factor authentication using SMS texts is secure? Think again. Michael Kassner reports that Zeus malware now has a smartphone partner called Zitmo.

When it comes to crimeware, Zeus has no equal. People behind the malcode have stolen millions from unsuspecting organizations. I first wrote about Zeus back in October of 2009. Three years hence, Zeus is still going strong.

The latest volley between security firms, and the developers responsible for Zeus involves SMS-based two-factor authentication. The theory goes: Using Simple Message Service (SMS) as an out-of-band verification prevents Zeus from capturing log-in credentials. SecureID technology is also out-of-band, but most institutions are shying away from it right now.

Difficult but not impossible

Well, Zeus now has a partner. Meet Zitmo (Zeus In The MObile). Phone malware designed to capture SMS texts and forward them to the attacker. Here's how, according to S21sec:

When you visit a financial portal, Zeus (already installed on the computer) steals your username and password.

The attacker then attempts to infect your mobile device by installing a malicious application (possibly a SMS with a link to the malicious mobile application).

The attacker logs in with the stolen credentials using your computer as a socks/proxy and performs a specific operation that needs SMS authentication.

An SMS is sent to your mobile device with the authentication code. The malicious software running in the device forwards the SMS to the attacker's computer.

The attacker fills in the authentication code and completes the operation.

One has to admit, the sophistication is impressive. Zeus (PC) and Zitmo (smartphone) working in concert, allow the attacker to successfully log in and siphon finances from your account.

But not Android

Security researchers at Fortinet, S21sec, and McAfee are following the Zeus/Zitmo saga closely. They have examples of Zitmo code for Symbian, Blackberry, and Windows mobile operating systems--three out of the big four (Edit: Should be five, but iOS is not affected). What about Android?

Missing an opportunity

According to this Nielsen report, Android is favored by a third of all smartphone users. Seems to me, the bad guys are missing or avoiding the largest segment of mobile-device users. Puzzling.

Maybe not

While trolling for research material, I came across a Fortinet blog post by Axelle Apvrille. She reported that Zitmo may now be ported for Android:

"Lately, there's been an active discussion on technical forums regarding Zeus targeting Android users. We finally managed to get our hands on the mobile sample the Zeus PC trojans are propagating.

Actually, it is not a new sample and has been detected under several names (Android.Trojan.SmsSpy.B, Trojan-Spy.AndroidOS.Smser.a, Andr/SMSRep-B), but it is far more scary when propagated by the Zeus gang."

Found a puzzle piece.

Then I came across this: Dissecting Zeus for Android (or Is It Just SMS Spyware?). Carlos Castillo, researcher for McAfee, questions if what they found is indeed Zitmo for Android. Oh-Oh. Now full-blown confusion.

Back to basics

Long ago, I learned something about confusion. It is unwise to write while in a confused state. Saving that story for my memoirs.

Anyway, I dashed off an email to Mr. Castillo, hoping that he would clear up my confusion. I started with the basics.

: Would you explain what role smart phones play when Zitmo malware is installed?: Smartphones are the component needed to defeat second-factor authentication (sent in a SMS) in an electronic transaction.

When the Zeus malware is installed on a PC, it will show a window suggesting the user download the Android application which is in fact the malware that will intercept all incoming SMS and forward those messages to a remote server.

: I assume attackers are monitoring many infected PC and smartphones. How do they correctly associate SMS texts with log in credentials?: Once the malware collects the information related to the SMSs being received in the device, it will also collect the IMEI (International Mobile Equipment Identity) of the smartphone and it will send it to a remote server.

On the other side, in the Windows computer, the Zeus version for this platform will ask for the number given by the Android application (a fake security tool) which is in fact the IMEI of the device and with that data the computer crooks are able to link the stolen credentials in both platforms.

: Your paper mentions that Zitmo malware uses a special app as the delivery vehicle. Is there something people can watch out for to prevent the download?: The delivery component of Zitmo is not using the most common distribution mechanism--repack legit applications with malicious code--used by malware like Droid Dream or Geinimi. In fact, this is a purely malicious application with no clean code inside, making it easier to detect.

Also, the Windows version of Zeus will ask you to enter a URL address to download the application and the application will want permission to access to your SMS. Both should raise your level of suspicion.

: Is there something specific that people can check to make sure the Zeus malware is not already on their smartphone?: The two principal variations of this malware are fake versions of security tools belonging to Trusteer and Kaspersky. The slide below shows the difference between the Zitmo and real icons.

If you have an installed application that acts as a security tool and shows you the IMEI--the device is most likely infected. The other sign of infection will be missing SMS. Those are blocked by the Zitmo malware.

In general, this malware is not sophisticated compared with other Android malicious code seen in the wild like ADRD. All traffic with command and control servers is in clear text, unlike all other Zeus malware.

There is no evidence that intercepted messages are being filtered to target a specific bank or to search for a specific authentication code inside the message.

Unlike Zitmo, this malware does not implement control commands such as SET ADMIN to change the device that is controlling the bots, and it does not have a mechanism to change the URL that is collecting the SMS (in case it is needed).

Final thoughts

That gives us a good idea as to what Zitmo does. You feel that the captured malware is probably only SMS spyware. With your permission I would like to paraphrase your reasons:

I'm glad there are dedicated people like Axelle Apvrille and Carlos Castillo. They invest a lot of time tracking malware, especially financial crimeware. Things would be a lot worse without their diligence.

Second, I hope I achieved my purpose today: Alerting you to the fact that two-factor authentication is not a security blanket, not any more.

And, Android users, we are next. There is no way the bad guys are going to let 30 percent of us go scot-free.