Zeus trojan is back and targeting Windows Mobile phones

By Speedway on Friday, February 25, 2011 with

A new variant of the Zeus trojan has surfaced and it's targeting Windows Mobile phones. In September a variant was discovered that targeted Symbian and BlackBerry phones.

Windows MobileDon't want to get all fire-and-brimstone about the trojan. The trojan is mostly interesting in that it is another warning about the kinds of security issues that smartphone users will be increasingly facing. But there isn't much direct risk of this particular trojan to users in the U.S. It is based on a phishing scam geared toward Polish users of accounts hosted by ING Bank Slaski accessed via the bank's two-factor authentication.

It's a man-in-the middle attack. The trojan, dubbed Zeus in the Mobile, is itself a variant of a trojan for Windows (a file identified as Trojan-Spy.Win32.Zbot.bbmf). Users are exposed to Zeus either by visiting an infected Web site, or by first being attacked on the PC. Once infected, users are asked to enter their cell phone number and smartphone model for a ‘certificate update,’" according to the Kaspersky Lab Expert blog.

The trojan wants to steal the "mTANs" or mobile transaction authentication numbers, which banks are using to strengthen security as more people want to do online banking via their phones. The banks sends a one-time password in a text message. A certificate is needed to login to online accounts. In the case of this trojan, once the user responds with the phished info, the black hats send the user an SMS message with a link to the malware geared for the phone's specific OS, Symbian, Blackberry and now Windows Mobile phones. After that, the malware secretly sends text messages with all mTANs to the bad guys, according to The Register.

So far, iPhones and Android don't seem to be affected. But Android has also been the subject of its own SMS trojan. In December, researchers discovered what they thought was the first one -- malware dubbed "Movie Player," masquerading as a media player and targeted at Russian users. And then there were more, for Android ... two more trojans were found that targeted Chinese users. Again these infect users who download apps from the Android Market. The second Android Trojan, was discovered earlier this month.

Company-owned app marketplaces (Google's, Microsoft's) do have restrictions in place to limit malware-infested apps, but the rate of application development seems to be outpacing the resources companies have dedicated to validate the apps. Mobile app developers are required to apply and become authenticated before they can submit their apps. But fake companies can get through. And if an application uses a certificate, the phone is more likely to think the certificate and application is legit, according to an article in Computerworld.

Security researchers will also be increasingly highlighting mobile malware as they look for reasons to validate the up-and-coming mobile security software market. Kaspersky, for instance, sells Kaspersky Mobile Security 9, which requires an annual subscription of $30 per phone to protect Windows Mobile, Symbian, Blackberry, and Android phones.

While most employees won't be accessing corporate bank information on their phones, enterprises are wise to start looking at affordable, reasonable methods to secure their road warriors' smartphones, and to watch the ways that black hats are duping users. IT departments may also want to add a smartphone security user training/education/wiki to their 2011 protection plans, such as to be as wary of links in text messages as they are in e-mail messages.

Related Posts Plugin for WordPress, Blogger...

Category: