Thursday, 14 July 2011

Zeus for Android and fake Kaspersky Antivirus 2011 | Naked Security

Zeus for Android and fake Kaspersky Antivirus 2011

Facebook logoOver 30,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest internet and Facebook security threats. X

Twitter logoHi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats. X

YouTube logoDon't forget you can subscribe to the SophosLabs YouTube channel to find all our latest videos. X

RSS logoHi there! If you're new here, you might want to subscribe to the RSS feed for updates. X

Filed Under: Malware, Mobile, SophosLabs

Android shotOver the weekend I wrote about the discovery of the potential Android component of the Zeus information-stealing toolkit (also known as Zitmo).

I wanted to share an update as there are further developments which have been uncovered about the relationship between the Zeus toolkit and Andr/SMSRep-B.

Thanks to Denis from Kaspersky Labs we can now confirm that the fake Trusteer Rapport application is related to malicious websites set up as command-and-control servers for several Zeus/Zbot botnets.

The server-side Zeus application checks for the User-Agent string of the HTTP requests and delivers the malicious payload based on the browser type.

In the case of Android. the default browser User-Agent string will be similar to "Mozilla/5.0 (Linux; U; Android 2.2)..." and from there the operating system can be easily determined.

On a separate note, it seems that the tradition of malware pretending to be legitimate anti-virus software for Android is extending.

After Trusteer, the next target is Kaspersky Labs. Yesterday, I had a chance to analyse a sample of Android malware which attempts to fool the user into installing the package by looking like a legitimate Kaspersky Antivirus 2011 product.

The application package uses an icon similar to the Kaspersky Lab icon, but the actual functionality is far less useful than the functionality of the legitimate product.

When the package is launched the malware attempts to get the unique device id number and transform it into an "activation code". The fake activation code is then displayed in a standard Android view.

Fake Kaspersky Antivirus 2011

In the background, the application installs a broadcast receiver that attempts to intercept SMS messages and send them to a web server set up by the attacker.

Luckily, in the case of this malware (which Sophos detects as Andr/SMSRep-C), the command-and-control web server IP address is 127.0.0.1 (localhost), which does not make the malware very useful.

Clearly, this is just an early test build and we will have to be on watch for the next version which will be connected with a real malicious server.

Although the functionality of Andr/SMSRep-B and Andr/SMSRep-C is quite similar, the code does not indicate that they have been developed by the same author.

, , , , ,

About the author

Vanja is a Principal Virus Researcher in SophosLabs. He has been working for Sophos since 1998. His major interests include automated analysis systems, honeypots and malware for mobile devices. Vanja is always ready for a good discussion on various security topics.

Flickr - projectbrainsaver

www.flickr.com
projectbrainsaver's A Point of View photoset projectbrainsaver's A Point of View photoset