It is not very often that we hear any news concerning security threats regarding BlackBerry. So when new exploits or security breaches are found, it is worth taking note. In the latter half of last year, Kaspersky Lab's security research team published an article with information regarding the ZeuS-in-the-Mobile (ZitMo) Trojan and its ability to mislead users into sending banking information to malicious users.
The ZitMo Trojan has actually been around for a couple years now and has generally been elusive to those researching vulnerabilities on BlackBerry devices. ZitMo's sole purpose is to steal mobile users mTAN codes; your banks Transaction Authentication Number, and forward it to a malicious user. Banks often use these TAN codes as away to authenticate users to their online banking services.
The whole attack is finely orchestrated, using the already well known ZeuS PC- based attack to gather user banking information and cell phone number. Kaspersky describes the attack in the following manner:
- Cyber criminals use the PC-based ZeuS to steal the data needed to access online banking accounts and client cell phone numbers.
- The victim’s mobile phone receives a text message with a request to install an updated security certificate, or some other necessary software. However, the link in the text message will actually lead to the mobile version of ZeuS.
- If the victim installs this software and infects the phone, the malicious user can then use the stolen personal data and attempt to make cash transactions from the compromised account, but still needs an mTAN code to authenticate the transaction.
- The bank sends out a text message with the mTAN code to the client’s mobile phone.
- ZitMo forwards the text message with the mTAN code to the malicious user’s phone.
- The malicious user is then able to use the mTAN code to authenticate the transaction.
A fragment of the certificate .cod file and commands.
Trojan installation process
The samples include 3 .cod files and 1 .jar file with another .cod conveniently placed inside the .jar file. The samples according to Kaspersky have all come from various European countries to include, Spain, Poland, and Germany. The following is a list of counties provided by Kaspersky in which users need to be more aware of ZitMo:
- Germany +46769436094
- Spain +46769436073
- Italy +46769436073
- Spain +46769436073
The best way to help safeguard against this revamped threat is to make sure you have a clean PC. Always make sure that you have the latest antivirus definitions on your computer, and be careful when downloading applications to your computer and mobile device. Only accept text messages from numbers that you are familiar with, or at least have the sender identify themselves. Last but not least, verify the source of your mobile download. Most vendors will have some sort of identification linked to the download. If you're unsure contact them and make sure it's a legit download.