December 17, 2015 By Larry Loeb 2 min read

Russian antivirus firm Dr. Web has found some new Android malware it has dubbed ZBot, according to a report from the security researchers. Its name may stem from the fact that it’s similar to the Zeus Trojan and targets mobile banking customers. It appears to have been going after users in Russia since February 2015.

About ZBot

There are three variants of the malware: Android.ZBot.1.origin, Android.ZBot.2.origin and Android.ZBot.3.origin. The latter two are newer than the first and most likely were designed to evade antivirus and other detection programs.

The injection program looks like a normal Android utility, usually the Google Play app. The infected app is placed on a website and downloaded by users who think they are getting the original software. After installation, the malware tries to obtain administrator privileges via an error message that mandates the unwitting user reboot the system.

If this ploy fails initially, the malware will display a phishing page where victims are instructed to enter payment card information. This phishing page is also displayed even if the malware gains admin privileges but only for a limited time.

How the Malware Works

Let’s say the malware does trick the user into granting admin privileges. It is then launched when the mobile device is rebooted. Cybercriminals can then command ZBot to send SMS messages to specified numbers, make phone calls, track location via GPS and display phishing pages on top of specified banking applications, SecurityWeek reported.

When a banking application is detected, a specially designed phishing page downloaded from the command-and-control (C&C) center of the malware is displayed on top of it. The malware is designed to target the customers of numerous banks that operate in Russia, and the page it displays is specific to the detected bank.

Some of these banks will allow users to carry out transactions via SMS message so the malware may send special SMS commands that will take money directly from bank accounts and send it to the cybercriminals. Users are usually not even aware this has happened, according to Dr. Web, because the malware will intercept confirmation messages.

Users Must Remain Alert

Security researchers discovered that all of ZBot’s modifications are controlled by different servers, the addresses of which are stored in a special database of the malicious program. They have detected more than 20 C&C servers for the malware — and noted that at least 15 are still active.

Dr. Web claimed that the Trojan was flagged more than 25,000 times during the observation period. And with servers still active, the malware will likely remain a threat — especially if it moves beyond its existing geo-targeted locations.

They also make the ominous warning that the bot may spread. “We cannot exclude the possibility that fraudsters will not limit their targets to Russian users only, and not expand the geography of these attacks to other countries including Europe and the United States,” the Dr. Web researchers said.

It seems the way around this one is to only load programs from trusted sites. There are also some remediation methods Dr. Web recommended for users on any operating system.

More from

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today