Improved SpyEye variant actively attacking Android devices

The first SpyEye variant, called SPITMO, has been spotted attacking Android devices in the wild.

According to Amit Klein, Trusteer’s chief technology officer, the threat posed by DriodOS/Spitmo has escalated the danger of SpyEye now that this malicious software has been able to shift its delivery and infection methods.

“We always said it was just a matter of time before the true potential of Spitmo was realized,” says Klein. “When it first emerged back in April, F-Secure reported in its blog that it was targeting European banks. The trojan injected fields into a bank’s webpage asking the customer to input his mobile phone number and the IMEI of the phone. The fraudster then needed to follow a cumbersome three stage sequence – get the IMEI number; generate a certificate; then release an updated installer. This process could take up to three days.”

“We couldn’t believe fraudsters would go to that much effort just to steal a couple of SMSs – and it appears we were right,” he says. “Information gathered by Trusteer’s Intelligence Centre has discovered a new far more intuitive, and modern, approach of SPITMO for Android now active in the wild.”

Looking at the attack vector in action, Klein explains, “When a user browses to the targeted bank a message is injected presenting a ‘new’ mandatory security measure, enforced by the bank, in order to use its online banking service. The initiative pretends to be an Android application that protects the phone’s SMS messages from being intercepted and will protect the user against fraud. How’s that for irony!”

Once the user clicks on “set the application” he is given further instructions to walk him though downloading and installing the application.

To complete the installation, the user is instructed to dial the number “325000”; the call is intercepted by the Android malware and an alleged activation code is presented, to be submitted later into the “bank’s site”. Besides concealing the true nature of the application, this “activation code” does not serve any legitimate purpose.

Once the Trojan has successfully installed, all incoming SMS messages are intercepted and transferred to the attacker’s Command and Control server. A code snippet is run when an SMS is received, creating a string, which will later be appended as a query string to a GET HTTP request, to be sent to the attacker’s drop zone.

“When examining the drop URLs, four of the domain names in use are not registered – yet!” Klein adds. “However, one of them is not new in relation to SpyEye – the domain “124ffsaf.com’, and has actually been “hopping’ around different IPs in several locations around the world. This attack, at the moment, is yet to gain momentum but that’s just a matter of time. This is a very real early warning and I’m pretty sure it’s only just started. I’m tempted to say ‘to be continued-¦'”

“What makes all of this so scary is that the application is not visible on the device’s dashboard, making it virtually undetectable, so users are not aware of its presence and will struggle to get rid of it.”