Zeus-in-the-mobile (“Zitmo”) for Android users is back, pretending to be a security solution for the mobile operating platform.
It masquerades as “Android Security Suite Premium” and, once installed, it presents an icon of a blue shield. When launched, it shows a generated activation code:
While the victim believes itself protected from malware, the malicious app is busy collecting system information and text messages, and sending them to a remote server whose URL is encrypted and stored inside the body of the Trojan.
Kaspersky Lab researchers recently analyzed six of these malicious APK files, and each of them had a different C&C URL encoded into it.
By doing a whois search for each of them, they discovered that one has been registered with fake data that can be traced back to a number of other domains – all of which have been found in their database of ZeuS C&C domains, leading them to conclude that these new pieces of Android malware are not random information-stealing apps, but new Zitmo versions.
Given that the researchers don’t say through which channels these Trojans are distributed, we can safely assume they originated from third-party Android online markets.