Zeus for Android and fake Kaspersky Antivirus 2011

Filed Under: Android, Featured, Malware, Mobile, SophosLabs

Android shotOver the weekend I wrote about the discovery of the potential Android component of the Zeus information-stealing toolkit (also known as Zitmo).

I wanted to share an update as there are further developments which have been uncovered about the relationship between the Zeus toolkit and Andr/SMSRep-B.

Thanks to Denis from Kaspersky Labs we can now confirm that the fake Trusteer Rapport application is related to malicious websites set up as command-and-control servers for several Zeus/Zbot botnets.

The server-side Zeus application checks for the User-Agent string of the HTTP requests and delivers the malicious payload based on the browser type.

In the case of Android. the default browser User-Agent string will be similar to "Mozilla/5.0 (Linux; U; Android 2.2)..." and from there the operating system can be easily determined.

On a separate note, it seems that the tradition of malware pretending to be legitimate anti-virus software for Android is extending.

After Trusteer, the next target is Kaspersky Labs. Yesterday, I had a chance to analyse a sample of Android malware which attempts to fool the user into installing the package by looking like a legitimate Kaspersky Antivirus 2011 product.

The application package uses an icon similar to the Kaspersky Lab icon, but the actual functionality is far less useful than the functionality of the legitimate product.

When the package is launched the malware attempts to get the unique device id number and transform it into an "activation code". The fake activation code is then displayed in a standard Android view.

Fake Kaspersky Antivirus 2011

In the background, the application installs a broadcast receiver that attempts to intercept SMS messages and send them to a web server set up by the attacker.

Luckily, in the case of this malware (which Sophos detects as Andr/SMSRep-C), the command-and-control web server IP address is 127.0.0.1 (localhost), which does not make the malware very useful.

Clearly, this is just an early test build and we will have to be on watch for the next version which will be connected with a real malicious server.

Although the functionality of Andr/SMSRep-B and Andr/SMSRep-C is quite similar, the code does not indicate that they have been developed by the same author.

, , , , ,

You might like

3 Responses to Zeus for Android and fake Kaspersky Antivirus 2011

  1. Entegy · 1008 days ago

    Are these apps coming from official Marketplaces? If so, that's some really bad checking on the part of Google & co.

    • Vanja Svajcer · 1008 days ago

      These two apps have not been published on the Google Marketplace, but we have seen several attacks targeting the official markets as well. Nevertheless, these applications (like Zeus for Android) represent a danger since most of the Android users allow installation of application from the third party markets (e.g. Amazon).

      Google has to do their best to find and remove potentially malicious apps but it is not always easy, with over 400k applications and 1k new apps added every day. Luckily, guys from Android Marketplace are very quick to react when you notify them that an application may be malicious.

      • Jay · 962 days ago

        Hi, I would liek to know if there's some sort of Apps monitoring/reporting mchanism in place by the different App stores especially the official stores (i.e Android, Apple, Ovi, etc.)

        I must admit I didn't find any legitimate info regarding this when I carried out a quick search via Google. Do these so called "Apps monitoring magagement policies" actually exist? if so why are these not currently listed/published? What are the reporting procedures for a milicious App fro different App stores? Any thoughts on that?

        Many thanks,
        Jay

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Vanja is a Principal Virus Researcher in SophosLabs. He has been working for Sophos since 1998. His major interests include automated analysis systems, honeypots and malware for mobile devices. Vanja is always ready for a good discussion on various security topics.