Zeus for Android and fake Kaspersky Antivirus 2011
Hi there! If you're new here, you might want to subscribe to the RSS feed for updates. X
Filed Under: Malware, Mobile, SophosLabs
Over the weekend I wrote about the discovery of the potential Android component of the Zeus information-stealing toolkit (also known as Zitmo).
I wanted to share an update as there are further developments which have been uncovered about the relationship between the Zeus toolkit and Andr/SMSRep-B.
Thanks to Denis from Kaspersky Labs we can now confirm that the fake Trusteer Rapport application is related to malicious websites set up as command-and-control servers for several Zeus/Zbot botnets.
The server-side Zeus application checks for the User-Agent string of the HTTP requests and delivers the malicious payload based on the browser type.
In the case of Android. the default browser User-Agent string will be similar to "Mozilla/5.0 (Linux; U; Android 2.2)..." and from there the operating system can be easily determined.
On a separate note, it seems that the tradition of malware pretending to be legitimate anti-virus software for Android is extending.
After Trusteer, the next target is Kaspersky Labs. Yesterday, I had a chance to analyse a sample of Android malware which attempts to fool the user into installing the package by looking like a legitimate Kaspersky Antivirus 2011 product.
The application package uses an icon similar to the Kaspersky Lab icon, but the actual functionality is far less useful than the functionality of the legitimate product.
When the package is launched the malware attempts to get the unique device id number and transform it into an "activation code". The fake activation code is then displayed in a standard Android view.
In the background, the application installs a broadcast receiver that attempts to intercept SMS messages and send them to a web server set up by the attacker.
Luckily, in the case of this malware (which Sophos detects as Andr/SMSRep-C), the command-and-control web server IP address is 127.0.0.1 (localhost), which does not make the malware very useful.
Clearly, this is just an early test build and we will have to be on watch for the next version which will be connected with a real malicious server.
Although the functionality of Andr/SMSRep-B and Andr/SMSRep-C is quite similar, the code does not indicate that they have been developed by the same author.
About the author
Vanja is a Principal Virus Researcher in SophosLabs. He has been working for Sophos since 1998. His major interests include automated analysis systems, honeypots and malware for mobile devices. Vanja is always ready for a good discussion on various security topics.
The object of this blog began as a display of a varied amount of writings, scribblings and rantings that can be easily analysed by technology today to present the users with a clearer picture of the state of their minds, based on tests run on their input and their uses of the technology we are advocating with www.projectbrainsaver.com
Thursday, 14 July 2011
Zeus for Android and fake Kaspersky Antivirus 2011 | Naked Security
Flickr - projectbrainsaver
www.flickr.com
|