Since more and more financial institutions and companies are beginning to use mobile text messages in order to provide two-factor authentication to its users, it was just a matter of time until criminals behind the ZeuS Trojan will try to think of a way to get hold of that crucial bit of information.
The attack begins as it usually does – the Trojan steals the username and password as it is inserted by the user. Then, a rogue form pops up and demands of him to share his mobile phone vendor, model and phone number:
After the unsuspecting victim has complied with that request, he receives an SMS in which a link to a security certificate – actually, a malicious application – is provided.
As S21sec researchers point out, so far the malicious application targets only users who have a Blackberry or a mobile device running Symbian, because the application needs only the user’s permission to install. iPhone applications, on the other hand, can only be installed through the AppStore.
From then on, the application monitors all incoming text messages and will install a backdoor so that it can receive further commands via SMS. The researchers have analyzed one of these applications for Symbian, and have reveled that it has a hardcoded UK phone number (used as a C&C).
Upon installation, the application notifies the C&C that it has been successfully installed and monitors the incoming text messages. With text messages sent from the C&C number, containing various commands, the criminals behind this scheme can make the phone ignore all commands, enable remote commands, add/delete/update a contact or change the C&C phone number.
The best way for the user to find out if his device is infected is to look at is mobile expenses and detect strange SMS charges. “Although we cannot state that it is a really advanced malicious application, it really works, and the thin line between PC and mobile malware is thinner than ever,” say the researchers.