It seems that SpyEye distributors are catching up with the mobile market as they (finally) target the Android mobile platform.

Ever since Man in the Mobile attacks (MitMo/ZitMo) first emerged in late 2010, SpyEye followed Zeus’ tracks by introducing its own hybrid desktop-mobile attacks (dubbed SPITMO).


The most recent achievement (that is, until our discovery at the end of July) of SpyEye in the mobile arena was reported in April on F-Secure’s blog.

The Trojan injects fields into a bank’s Web page and asks customers to input their mobile phone number and the IMEI of the phone. The bank customers are then told the information is needed so a “certificate” can be sent to the phone and are informed that it can take up to three days before the certificate is ready.

“The Trojan is signed with a developer certificate. Developer certificates are tied to certain IMEIs and can only be installed to phones that have an IMEI that is listed in the certificate. This is why the malware author(s) request the IMEI in addition to the phone number on the bank’s website. Once they receive new IMEIs, they request an updated certificate with IMEIs for all victims and create a new installer signed with the updated certificate.”

“The delay in getting the new certificate explains why the SpyEye-injected message states it can take up to three days for the certificate to be delivered.”

Up to three days to accomplish an attack in 2011? This is due to the following cumbersome cycle used to circumvent Symbian’s signing requirement:

  • Ask the user for their device’s IMEI;
  • Generate an appropriate certificate;
  • Release an updated installer.


Waiting three days just to steal a couple of SMSs is not a reasonable overhead now that we have Android OS, which provides a much more intuitive and modern approach to loot the desired treasure.

Before we dive into the analysis, here’s a pictorial overview of MitMo evolution.

The following analysis is based on a compromised machine with SpyEye as found by Trusteer, an IBM company, in the wild on July 24th:

Stage 1: MITB — Web Injects Module (You Know the Drill…)

When a compromised user browses to the targeted bank, a message is injected presenting a “new” security measure, supposedly enforced by the bank, which is now mandatory in order to use its online banking service. The new measure pretends to be an Android application that protects the phone’s SMS messages from being intercepted (there’s irony for you) and will protect the user against fraud.

Clicking on “set the application” displays an additional injected message, providing further instructions for installing the application:

Stage 2 : Android (Malicious) Mobile App Installation

The user is directed to the download URL “hxxp://”

After the compromised user installs the Android application on his or her device, the application named “System” is not visible on the device dashboard. It’s not a service, and it’s not listed in any current running applications. In order for a user to determine the existence of this app, a bit of searching is required:

To complete the installation, the user is instructed to dial the number “325000”; the call is intercepted by the Android malware and the “alleged” activation code is presented, to be submitted later into the “bank’s site”:

The following is a de-compiled code snippet that is responsible for the “activation code” operation. There is no other reference to it in the application package (as of July 24):

Stage 3: Android Secure Application Is a Trojan

Now that the Trojan has installed successfully, all incoming SMSs will be intercepted and transferred to the attacker C&C; the de-compiled code snippet below is run when an SMS is received, creating a string for later use:


As implied from the string structure, it will later be appended as a query string to a GET HTTP request to be sent to the attacker’s drop zone.

The application package consists of a “Settings.xml” file (asset directory), which contains a configuration for the Trojan; “Settings.xml” defines:

  • The transfer method i.e. SMS or HTTP
  • The attacker’s drop zone URLs

Here’s a snippet of the extracted “Settings.xml”:

Stage 4: SMS Spy Command & Control

When examining the drop URLs, four of the domain names in use are not registered (yet!):;; and

However, one of them is not new in relation to SpyEye: The domain “” has been “hopping” around different IPs, in several locations, around the world.

Here’s a snippet from SpyEye’s tracker history record for domain over a three-day period:

Peeking around the attacker C&C reveals an unprotected (at the moment!) statistics page:

It’s worth pointing out that the information presented in the Attacker C&C above was produced when we tested the Trojan in action in our lab. Sender 15555215556 and Recipient 15555215554 refers to two Android emulators we used to simulate the attack (the corresponding HTTP traffic is presented above).

As indicated by the statistics page above, the attack has yet to gain momentum, so consider this a warning. I’m pretty sure this is just the beginning, so I’m tempted to say, “To be continued…”

SPITMO for Android Mobile Platform Loses the Battle Against Trusteer

Organizations must act now and install a desktop browser security solution as part of a multilayered security profile.

For banks that already offer Trusteer Rapport to their customers, the good news is they’re automatically protected and are not vulnerable to this attack — even if the Trojan is downloaded. This is because Rapport prevents SpyEye from installing on the customer’s PC; therefore, the entire chain of attack is terminated before it has a chance to take hold.

For those that haven’t downloaded Rapport, Trusteer Pinpoint will detect and report in real time victims who are infected with this variant of SpyEye as they attempt to connect to the bank’s website. By restricting the services available to these machines, such as the ability to complete transactions, the attack is defeated.

Finally, Trusteer Mobile for Android (either Secure Library or Secure Browser) will detect and block this attack on the Android mobile platform, preventing any malicious activity.


This article was originally written by the IBM Trusteer security research team.

More from Endpoint

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today