New Zitmo variant has improved functionality, better disguise

The Zitmo (Zeus in the mobile) malware has been infecting smartphones for a couple of years. It began by infecting smartphones with the Symbian operating system, then switched to Android last year when Symbian lost favor with consumers.

Zitmo is used by cybercriminals in tandem with the traditional Zeus keylogging malware on PCs to steal the victim’s banking credentials and ultimately the victim’s money. Zitmo is used to intercept two-factor authentication that banks use to validate the identity of the account holder when logging in.

This new variant improves Zitmo’s injection vectors, social engineering techniques, money mule methods, and infrastructure protection. The group behind the variant is the FourStreetAvengers (aka ZiMo_GroupA), Damballa explained in a recent blog.

“This is an evolution of what has been going on. The Zitmo agent is being presented to the victims as an Android security suite, which is a new technique that the bad guys have been using to get onto the device”, explained Gunter Ollmann, vice president of research at Damballa.

The extent of the infrastructure used by the FourStreetAvengers is striking, as well, Ollmann told Infosecurity. This group's Zitmo malware is infecting 10,000 to 20,000 Android smartphones per week, he added.

“In the blog, we wanted to provide some information about the sophistication of the organization behind these attacks”, Ollmann said.

To underscore this point, Damballa prepared a large chart showing the complexity and extent of the criminal ecosystem behind the Zitmo malware. “We display the infrastructure that the bad guys are using to control their bot agents, receive the stolen information, and distribute and manage the delivery of the malicious agents to the mobile handsets and the desktop”, Ollmann explained.

“This is serious business for these criminal operators. This isn’t one man in the dark sitting at home. These are large operations that require a lot of technical skill to manage all of the infrastructure and global hosting of the supporting infrastructure”, he stressed.

What’s Hot on Infosecurity Magazine?