Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

After Zitmo comes Citmo – Carberp in the mobile

Carberp can be bought or rented from the authors
Carberp can be bought or rented from the authors

Carberp, like Zeus, is a banking fraud trojan. It primarily targets Russian banks and banks in Russian-speaking countries. Zeus in the mobile has been around for some time, and earlier this month the most successful Zitmo campaign yet was exposed. Now Carberp has similarly migrated to the mobile market, joining Zitmo and Spitmo (SpyEye in the mobile) as threats to SMS-authenticated online banking.

“During the last two years [Zitmo and Spitmo] attacks have been observed only in some European countries like Spain, Italy, Germany, Poland and few others,” explains a Kaspersky Lab blog. But now, with Citmo, “such attacks became real in Russia as well.” This has materialised just as online banking has become more popular in Russia.

The process is similar to the Zitmo operation. First the PC is infected. Then it needs to get the user’s smartphone infected with the mobile part of the Trojan. It does this by altering “the online banking web page on the fly, inviting the user to download and install an application which is allegedly necessary for logging into the system.” That app could be found in Google Play, and the effect is to infect the smartphone.

Subsequently, when the bank sends its SMS mobile transaction authorization code (mTAN) to the mobile device, it can be intercepted and used by criminals. The user may be left to believe that he or she is continuing the transaction, or that the bank’s website is temporarily offline (depending on what the PC trojan displays on the PC), but in fact the criminal is using the mTAN to conduct an illegal and covert transaction, fully authorized by the intercepted mTAN.

“It’s significant,” David Harley, a senior research fellow with ESET told Infosecurity, “but not surprising, in that fake banking apps have obvious fraud and data theft potential. While smartphone apps from real banks are still fairly conservative in what they allow (in the UK at least), it's reasonable to assume that customers will be all too likely to fall for fake apps that seem to offer more 'convenient' functionality – and the disappointing recent performance by Google Play in terms of proactively blocking Android malware makes it a convenient vector.”

Kaspersky’s Denis Maslennikov reports that the app developer, going by the name of Samsonov Sergey, has uploaded three Carberp apps to Google play: SberSafe (Sberbank is one of Russia’s most popular banks), AlfaSafe and VkSafe. All three have similar functionality. “The ‘SberSafe’ app has been downloaded at least 100 times, ‘AlfaSafe’ has been downloaded at least once and ‘VkSafe’ – 50 times,” he notes.