Like the arrival of Zeus-allied malware on the Google smartphone/tablet operating system earlier this year, the SpyEye extension takes a symbiotic approach, using a technique that Trusteer calls a SpitMo hybrid desktop-mobile attack.
According to Amit Klein, Trusteer's chief technology officer, the threat posed by DroidOS/Spitmo has escalated the danger of SpyEye, now that this malicious software has been able to shift its delivery and infection methods.
“We always said it was just a matter of time before the true potential of SpitMo was realized. When it first emerged back in April, F-Secure reported, in its blog, that it was targeting European banks. The trojan injected fields into a bank's webpage asking the customer to input his mobile phone number and the IMEI of the phone”, he said.
“The fraudster then needed to follow a cumbersome three stage sequence – get the IMEI number; generate a certificate; then release an updated installer. This process could take up to three days”, he added.
Klein went on to say that he couldn’t believe fraudsters would go to that much effort just to steal a couple of SMSs – and it appears he was right, as information gathered by Trusteer's researchers has discovered a new, far more intuitive, and modern, approach of SpitMo for Android is now active in the wild.
Klein said that, when a user browses to the targeted bank a message is injected presenting a 'new' mandatory security measure – enforced by the bank – in order to use its online banking service. The initiative, he added, pretends to be an Android application that protects the phone’s SMS messages from being intercepted and will protect the user against fraud.
“How’s that for irony”, he said, adding that, once the user clicks on "set the application" they are given further instructions to walk them though downloading and installing the application.
To complete the installation, the Trusteer CTO says that the user is instructed to dial the number "325000"; the call is intercepted by the Android malware and an ‘alleged’ activation code is presented, to be submitted later in to the "bank’s site".
“Besides concealing the true nature of the application, this activation code does not serve any legitimate purpose”, he noted.
And once the trojan has successfully installed, all incoming SMS messages will be intercepted and transferred to the attacker’s command-and-control server (C&C), he said.
The good news, he added, is that, at the moment this attack has yet to gain momentum but that’s just a matter of time.
“This is a very real early warning and I'm pretty sure it’s only just started. I’m tempted to say to be continued…”, he said, adding that, what makes all of this so scary is that the application is not visible on the device’s dashboard, making it virtually undetectable, so users are not aware of its presence and will struggle to get rid of it.