It seems that SpyEye distributors are catching up with the mobile market as they (finally) target the Android mobile platform.

Ever since Man in the Mobile attacks (MitMo/ZitMo) first emerged in late 2010, SpyEye followed Zeus’ tracks by introducing its own hybrid desktop-mobile attacks (dubbed SPITMO).


The most recent achievement (that is, until our discovery at the end of July) of SpyEye in the mobile arena was reported in April on F-Secure’s blog.

The Trojan injects fields into a bank’s Web page and asks customers to input their mobile phone number and the IMEI of the phone. The bank customers are then told the information is needed so a “certificate” can be sent to the phone and are informed that it can take up to three days before the certificate is ready.

“The Trojan is signed with a developer certificate. Developer certificates are tied to certain IMEIs and can only be installed to phones that have an IMEI that is listed in the certificate. This is why the malware author(s) request the IMEI in addition to the phone number on the bank’s website. Once they receive new IMEIs, they request an updated certificate with IMEIs for all victims and create a new installer signed with the updated certificate.”

“The delay in getting the new certificate explains why the SpyEye-injected message states it can take up to three days for the certificate to be delivered.”

Up to three days to accomplish an attack in 2011? This is due to the following cumbersome cycle used to circumvent Symbian’s signing requirement:

  • Ask the user for their device’s IMEI;
  • Generate an appropriate certificate;
  • Release an updated installer.


Waiting three days just to steal a couple of SMSs is not a reasonable overhead now that we have Android OS, which provides a much more intuitive and modern approach to loot the desired treasure.

Before we dive into the analysis, here’s a pictorial overview of MitMo evolution.

The following analysis is based on a compromised machine with SpyEye as found by Trusteer, an IBM company, in the wild on July 24th:

Stage 1: MITB — Web Injects Module (You Know the Drill…)

When a compromised user browses to the targeted bank, a message is injected presenting a “new” security measure, supposedly enforced by the bank, which is now mandatory in order to use its online banking service. The new measure pretends to be an Android application that protects the phone’s SMS messages from being intercepted (there’s irony for you) and will protect the user against fraud.

Clicking on “set the application” displays an additional injected message, providing further instructions for installing the application:

Stage 2 : Android (Malicious) Mobile App Installation

The user is directed to the download URL “hxxp://”

After the compromised user installs the Android application on his or her device, the application named “System” is not visible on the device dashboard. It’s not a service, and it’s not listed in any current running applications. In order for a user to determine the existence of this app, a bit of searching is required:

To complete the installation, the user is instructed to dial the number “325000”; the call is intercepted by the Android malware and the “alleged” activation code is presented, to be submitted later into the “bank’s site”:

The following is a de-compiled code snippet that is responsible for the “activation code” operation. There is no other reference to it in the application package (as of July 24):

Stage 3: Android Secure Application Is a Trojan

Now that the Trojan has installed successfully, all incoming SMSs will be intercepted and transferred to the attacker C&C; the de-compiled code snippet below is run when an SMS is received, creating a string for later use:


As implied from the string structure, it will later be appended as a query string to a GET HTTP request to be sent to the attacker’s drop zone.

The application package consists of a “Settings.xml” file (asset directory), which contains a configuration for the Trojan; “Settings.xml” defines:

  • The transfer method i.e. SMS or HTTP
  • The attacker’s drop zone URLs

Here’s a snippet of the extracted “Settings.xml”:

Stage 4: SMS Spy Command & Control

When examining the drop URLs, four of the domain names in use are not registered (yet!):;; and

However, one of them is not new in relation to SpyEye: The domain “” has been “hopping” around different IPs, in several locations, around the world.

Here’s a snippet from SpyEye’s tracker history record for domain over a three-day period:

Peeking around the attacker C&C reveals an unprotected (at the moment!) statistics page:

It’s worth pointing out that the information presented in the Attacker C&C above was produced when we tested the Trojan in action in our lab. Sender 15555215556 and Recipient 15555215554 refers to two Android emulators we used to simulate the attack (the corresponding HTTP traffic is presented above).

As indicated by the statistics page above, the attack has yet to gain momentum, so consider this a warning. I’m pretty sure this is just the beginning, so I’m tempted to say, “To be continued…”

SPITMO for Android Mobile Platform Loses the Battle Against Trusteer

Organizations must act now and install a desktop browser security solution as part of a multilayered security profile.

For banks that already offer Trusteer Rapport to their customers, the good news is they’re automatically protected and are not vulnerable to this attack — even if the Trojan is downloaded. This is because Rapport prevents SpyEye from installing on the customer’s PC; therefore, the entire chain of attack is terminated before it has a chance to take hold.

For those that haven’t downloaded Rapport, Trusteer Pinpoint will detect and report in real time victims who are infected with this variant of SpyEye as they attempt to connect to the bank’s website. By restricting the services available to these machines, such as the ability to complete transactions, the attack is defeated.

Finally, Trusteer Mobile for Android (either Secure Library or Secure Browser) will detect and block this attack on the Android mobile platform, preventing any malicious activity.


This article was originally written by the IBM Trusteer security research team.

More from Endpoint

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…

Threat Management and Unified Endpoint Management

The worst of the pandemic may be behind us, but we continue to be impacted by it. School-aged kids are trying to catch up academically and socially after two years of disruption. Air travel is a mess. And all businesses have seen a spike in cyberattacks. Cyber threats increased by 81% while COVID-19 was at its peak, with 79% of all organizations experiencing a loss of business operations during that time. The risk of cyberattacks increased so much that the…

3 Ways EDR Can Stop Ransomware Attacks

Ransomware attacks are on the rise. While these activities are low-risk and high-reward for criminal groups, their consequences can devastate their target organizations. According to the 2022 Cost of a Data Breach report, the average cost of a ransomware attack is $4.54 million, without including the cost of the ransom itself. Ransomware breaches also took 49 days longer than the data breach average to identify and contain. Worse, criminals will often target the victim again, even after the ransom is…

How EDR Security Supports Defenders in a Data Breach

The cost of a data breach has reached an all-time high. It averaged $4.35 million in 2022, according to the newly published IBM Cost of a Data Breach Report. What’s more, 83% of organizations have faced more than one data breach, with just 17% saying this was their first data breach. What can organizations do about this? One solution is endpoint detection and response (EDR) software. Take a look at how an effective EDR solution can help your security teams. …