Russian antivirus firm Dr. Web has found some new Android malware it has dubbed ZBot, according to a report from the security researchers. Its name may stem from the fact that it’s similar to the Zeus Trojan and targets mobile banking customers. It appears to have been going after users in Russia since February 2015.

About ZBot

There are three variants of the malware: Android.ZBot.1.origin, Android.ZBot.2.origin and Android.ZBot.3.origin. The latter two are newer than the first and most likely were designed to evade antivirus and other detection programs.

The injection program looks like a normal Android utility, usually the Google Play app. The infected app is placed on a website and downloaded by users who think they are getting the original software. After installation, the malware tries to obtain administrator privileges via an error message that mandates the unwitting user reboot the system.

If this ploy fails initially, the malware will display a phishing page where victims are instructed to enter payment card information. This phishing page is also displayed even if the malware gains admin privileges but only for a limited time.

How the Malware Works

Let’s say the malware does trick the user into granting admin privileges. It is then launched when the mobile device is rebooted. Cybercriminals can then command ZBot to send SMS messages to specified numbers, make phone calls, track location via GPS and display phishing pages on top of specified banking applications, SecurityWeek reported.

When a banking application is detected, a specially designed phishing page downloaded from the command-and-control (C&C) center of the malware is displayed on top of it. The malware is designed to target the customers of numerous banks that operate in Russia, and the page it displays is specific to the detected bank.

Some of these banks will allow users to carry out transactions via SMS message so the malware may send special SMS commands that will take money directly from bank accounts and send it to the cybercriminals. Users are usually not even aware this has happened, according to Dr. Web, because the malware will intercept confirmation messages.

Users Must Remain Alert

Security researchers discovered that all of ZBot’s modifications are controlled by different servers, the addresses of which are stored in a special database of the malicious program. They have detected more than 20 C&C servers for the malware — and noted that at least 15 are still active.

Dr. Web claimed that the Trojan was flagged more than 25,000 times during the observation period. And with servers still active, the malware will likely remain a threat — especially if it moves beyond its existing geo-targeted locations.

They also make the ominous warning that the bot may spread. “We cannot exclude the possibility that fraudsters will not limit their targets to Russian users only, and not expand the geography of these attacks to other countries including Europe and the United States,” the Dr. Web researchers said.

It seems the way around this one is to only load programs from trusted sites. There are also some remediation methods Dr. Web recommended for users on any operating system.