Carlos Castillo is a mobile malware researcher at McAfee, where he specializes in the analysis of mobile threats and ...
SpyEye and Zeus are probably the most prevalent and active Trojan “banker” families seen in the wild. (Bankers steal bank passwords and other financial data.) At the beginning of the year there was a rumor about the “merger” of both toolkits into a new generation of banking Trojan. It is not clear yet whether leaked Zeus source code has been included in the new version of SpyEye, but it is clear that both families are quite active, especially targeting Android, one of the most popular operating systems for mobiles.
Despite serving the same purpose as the Zeus version for Android (known as Zitmo, for Zeus in the mobile), SpyEye (dubbed Spitmo, for SpyEye in the mobile) has some interesting differences. Both work to defeat a second factor of authentication in an electronic transaction–in this case an mTAN (mobile transaction authentication number)–by forwarding all incoming SMS to a remote server after the username and password have been captured from the infected computer. But SpyEye offers three new interesting characteristics:
1. SpyEye and Zeus use the same distribution method (a computer infected with SpyEye will suggest the user enter a URL in a mobile device to download the malicious Android app), but the user interaction is different. SpyEye does not look like a security tool, as ZeuS for Android does. SpyEye also does not run in the background as a service; it is not active until a predetermined number (325000) is dialed or an SMS is received:
SpyEye might take this step to reduce the presence of the malware in the device. It will not have a user interface and will not appear in the Running tab of the Manage Applications window. Another difference is that instead of seeing the IMEI on the screen, the user (of the infected computer) is instructed to call a specific number to get a fake “authentication code” that will always be the same (because it is hardcoded in the application):
2. With SpyEye the intercepted messages can be transferred via SMS or HTTP. This configuration is stored in a file in the original app called Settings.xml:
The malware will check if the value in “Send” is 1 (HTTP) or 2 (SMS). If it is 2, then it will forward the SMS to the number specified in the telephone tag:
Sending an SMS to the attacker can affect victims because the forwarded SMS can generate additional expenses. Also, given that the configuration lies outside the malicious code, the delivery method can be different among the variants of the malware. Unlike Zeus, SpyEye carries its URLs for receiving the stolen information in one settings file. For this reason it is more flexible because the URLs can be changed among variants.
3. The stolen SMS are sent without encryption to the attacker’s URL. Unlike Zeus for Android (which uses a JSON object in a POST request to send the stolen information), SpyEye uses URLEncoder to “encode” the data by converting some characters (except letters, numbers, and some special characters) into hexadecimal values preceded by “%.” Thus the data is basically being transmitted in clear text (so it can be easily intercepted by a sniffer on the Internet):
Zeus and SpyEye share the same objective–to obtain the mTANs sent in an SMS to perform electronic transactions that require this second factor of authentication. But the new version of SpyEye for Android adds interesting functions to slow down the analysis process, provide flexibility, and affect the user in different ways. These additions show that this kind of banking malware is in constant evolution. With the increasing popularity of Android and mobile banking, we expect to find more of this kind of malware in the wild. This malicious application is detected in VSE/VSO as Android/Spitmo and in VSM as Android/Spitmo.B.