It seems that SpyEye distributors are catching up with the mobile market as they (finally) target the Android mobile platform.

Ever since Man in the Mobile attacks (MitMo/ZitMo) first emerged in late 2010, SpyEye followed Zeus’ tracks by introducing its own hybrid desktop-mobile attacks (dubbed SPITMO).


The most recent achievement (that is, until our discovery at the end of July) of SpyEye in the mobile arena was reported in April on F-Secure’s blog.

The Trojan injects fields into a bank’s Web page and asks customers to input their mobile phone number and the IMEI of the phone. The bank customers are then told the information is needed so a “certificate” can be sent to the phone and are informed that it can take up to three days before the certificate is ready.

“The Trojan is signed with a developer certificate. Developer certificates are tied to certain IMEIs and can only be installed to phones that have an IMEI that is listed in the certificate. This is why the malware author(s) request the IMEI in addition to the phone number on the bank’s website. Once they receive new IMEIs, they request an updated certificate with IMEIs for all victims and create a new installer signed with the updated certificate.”

“The delay in getting the new certificate explains why the SpyEye-injected message states it can take up to three days for the certificate to be delivered.”

Up to three days to accomplish an attack in 2011? This is due to the following cumbersome cycle used to circumvent Symbian’s signing requirement:

  • Ask the user for their device’s IMEI;
  • Generate an appropriate certificate;
  • Release an updated installer.


Waiting three days just to steal a couple of SMSs is not a reasonable overhead now that we have Android OS, which provides a much more intuitive and modern approach to loot the desired treasure.

Before we dive into the analysis, here’s a pictorial overview of MitMo evolution.

The following analysis is based on a compromised machine with SpyEye as found by Trusteer, an IBM company, in the wild on July 24th:

Stage 1: MITB — Web Injects Module (You Know the Drill…)

When a compromised user browses to the targeted bank, a message is injected presenting a “new” security measure, supposedly enforced by the bank, which is now mandatory in order to use its online banking service. The new measure pretends to be an Android application that protects the phone’s SMS messages from being intercepted (there’s irony for you) and will protect the user against fraud.

Clicking on “set the application” displays an additional injected message, providing further instructions for installing the application:

Stage 2 : Android (Malicious) Mobile App Installation

The user is directed to the download URL “hxxp://”

After the compromised user installs the Android application on his or her device, the application named “System” is not visible on the device dashboard. It’s not a service, and it’s not listed in any current running applications. In order for a user to determine the existence of this app, a bit of searching is required:

To complete the installation, the user is instructed to dial the number “325000”; the call is intercepted by the Android malware and the “alleged” activation code is presented, to be submitted later into the “bank’s site”:

The following is a de-compiled code snippet that is responsible for the “activation code” operation. There is no other reference to it in the application package (as of July 24):

Stage 3: Android Secure Application Is a Trojan

Now that the Trojan has installed successfully, all incoming SMSs will be intercepted and transferred to the attacker C&C; the de-compiled code snippet below is run when an SMS is received, creating a string for later use:


As implied from the string structure, it will later be appended as a query string to a GET HTTP request to be sent to the attacker’s drop zone.

The application package consists of a “Settings.xml” file (asset directory), which contains a configuration for the Trojan; “Settings.xml” defines:

  • The transfer method i.e. SMS or HTTP
  • The attacker’s drop zone URLs

Here’s a snippet of the extracted “Settings.xml”:

Stage 4: SMS Spy Command & Control

When examining the drop URLs, four of the domain names in use are not registered (yet!):;; and

However, one of them is not new in relation to SpyEye: The domain “” has been “hopping” around different IPs, in several locations, around the world.

Here’s a snippet from SpyEye’s tracker history record for domain over a three-day period:

Peeking around the attacker C&C reveals an unprotected (at the moment!) statistics page:

It’s worth pointing out that the information presented in the Attacker C&C above was produced when we tested the Trojan in action in our lab. Sender 15555215556 and Recipient 15555215554 refers to two Android emulators we used to simulate the attack (the corresponding HTTP traffic is presented above).

As indicated by the statistics page above, the attack has yet to gain momentum, so consider this a warning. I’m pretty sure this is just the beginning, so I’m tempted to say, “To be continued…”

SPITMO for Android Mobile Platform Loses the Battle Against Trusteer

Organizations must act now and install a desktop browser security solution as part of a multilayered security profile.

For banks that already offer Trusteer Rapport to their customers, the good news is they’re automatically protected and are not vulnerable to this attack — even if the Trojan is downloaded. This is because Rapport prevents SpyEye from installing on the customer’s PC; therefore, the entire chain of attack is terminated before it has a chance to take hold.

For those that haven’t downloaded Rapport, Trusteer Pinpoint will detect and report in real time victims who are infected with this variant of SpyEye as they attempt to connect to the bank’s website. By restricting the services available to these machines, such as the ability to complete transactions, the attack is defeated.

Finally, Trusteer Mobile for Android (either Secure Library or Secure Browser) will detect and block this attack on the Android mobile platform, preventing any malicious activity.


This article was originally written by the IBM Trusteer security research team.

More from Endpoint

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…