It seems that SpyEye distributors are catching up with the mobile market as they (finally) target the Android mobile platform.
Ever since Man in the Mobile attacks (MitMo/ZitMo) first emerged in late 2010, SpyEye followed Zeus’ tracks by introducing its own hybrid desktop-mobile attacks (dubbed SPITMO).
The most recent achievement (that is, until our discovery at the end of July) of SpyEye in the mobile arena was reported in April on F-Secure’s blog.
The Trojan injects fields into a bank’s Web page and asks customers to input their mobile phone number and the IMEI of the phone. The bank customers are then told the information is needed so a “certificate” can be sent to the phone and are informed that it can take up to three days before the certificate is ready.
“The Trojan is signed with a developer certificate. Developer certificates are tied to certain IMEIs and can only be installed to phones that have an IMEI that is listed in the certificate. This is why the malware author(s) request the IMEI in addition to the phone number on the bank’s website. Once they receive new IMEIs, they request an updated certificate with IMEIs for all victims and create a new installer signed with the updated certificate.”
“The delay in getting the new certificate explains why the SpyEye-injected message states it can take up to three days for the certificate to be delivered.”
Up to three days to accomplish an attack in 2011? This is due to the following cumbersome cycle used to circumvent Symbian’s signing requirement:
- Ask the user for their device’s IMEI;
- Generate an appropriate certificate;
- Release an updated installer.
Waiting three days just to steal a couple of SMSs is not a reasonable overhead now that we have Android OS, which provides a much more intuitive and modern approach to loot the desired treasure.
Before we dive into the analysis, here’s a pictorial overview of MitMo evolution.
The following analysis is based on a compromised machine with SpyEye as found by Trusteer, an IBM company, in the wild on July 24th:
Stage 1: MITB — Web Injects Module (You Know the Drill…)
When a compromised user browses to the targeted bank, a message is injected presenting a “new” security measure, supposedly enforced by the bank, which is now mandatory in order to use its online banking service. The new measure pretends to be an Android application that protects the phone’s SMS messages from being intercepted (there’s irony for you) and will protect the user against fraud.
Clicking on “set the application” displays an additional injected message, providing further instructions for installing the application:
Stage 2 : Android (Malicious) Mobile App Installation
The user is directed to the download URL “hxxp://www.androidseguridad.com/simseg.apk.”
After the compromised user installs the Android application on his or her device, the application named “System” is not visible on the device dashboard. It’s not a service, and it’s not listed in any current running applications. In order for a user to determine the existence of this app, a bit of searching is required:
To complete the installation, the user is instructed to dial the number “325000”; the call is intercepted by the Android malware and the “alleged” activation code is presented, to be submitted later into the “bank’s site”:
The following is a de-compiled code snippet that is responsible for the “activation code” operation. There is no other reference to it in the application package (as of July 24):
Stage 3: Android Secure Application Is a Trojan
Now that the Trojan has installed successfully, all incoming SMSs will be intercepted and transferred to the attacker C&C; the de-compiled code snippet below is run when an SMS is received, creating a string for later use:
As implied from the string structure, it will later be appended as a query string to a GET HTTP request to be sent to the attacker’s drop zone.
The application package consists of a “Settings.xml” file (asset directory), which contains a configuration for the Trojan; “Settings.xml” defines:
- The transfer method i.e. SMS or HTTP
- The attacker’s drop zone URLs
Here’s a snippet of the extracted “Settings.xml”:
Stage 4: SMS Spy Command & Control
When examining the drop URLs, four of the domain names in use are not registered (yet!): 124ff42.com; 124ffdfsaf.com; and 124sfafsaffa.com.
However, one of them is not new in relation to SpyEye: The domain “124ffsaf.com” has been “hopping” around different IPs, in several locations, around the world.
Here’s a snippet from SpyEye’s tracker history record for domain 124ffsaf.com over a three-day period:
Peeking around the attacker C&C reveals an unprotected (at the moment!) statistics page:
It’s worth pointing out that the information presented in the Attacker C&C above was produced when we tested the Trojan in action in our lab. Sender 15555215556 and Recipient 15555215554 refers to two Android emulators we used to simulate the attack (the corresponding HTTP traffic is presented above).
As indicated by the statistics page above, the attack has yet to gain momentum, so consider this a warning. I’m pretty sure this is just the beginning, so I’m tempted to say, “To be continued…”
SPITMO for Android Mobile Platform Loses the Battle Against Trusteer
Organizations must act now and install a desktop browser security solution as part of a multilayered security profile.
For banks that already offer Trusteer Rapport to their customers, the good news is they’re automatically protected and are not vulnerable to this attack — even if the Trojan is downloaded. This is because Rapport prevents SpyEye from installing on the customer’s PC; therefore, the entire chain of attack is terminated before it has a chance to take hold.
For those that haven’t downloaded Rapport, Trusteer Pinpoint will detect and report in real time victims who are infected with this variant of SpyEye as they attempt to connect to the bank’s website. By restricting the services available to these machines, such as the ability to complete transactions, the attack is defeated.
Finally, Trusteer Mobile for Android (either Secure Library or Secure Browser) will detect and block this attack on the Android mobile platform, preventing any malicious activity.
This article was originally written by the IBM Trusteer security research team.