SpyEye targeting Android users - just a copy of Zeus's strategy?

Filed Under: Android, Malware, Mobile, SophosLabs

EyeIn the world of Windows malware, SpyEye is a widespread malicious toolkit for creating and managing botnets. It is designed primarily for stealing banking credentials and other confidential information from infected systems.

SpyEye is a major competitor of the infamous Zeus toolkit.

Zeus (also known as ZBot) generated a lot of interest in the mobile security community a couple of months ago when an Android version was discovered.

Of course, we did not have to wait long before a version of SpyEye targeting Android was also developed, and sure enough a malicious SpyEye Android app was discovered a few days ago.

The functionality of Zeus and SpyEye on Windows is quite similar, so I was curious as to how similar their respective Android versions would be.

Zeus for Android purports to be a version of Trusteer Rapport security software. This social engineering trick is used in an attempt to convince the user that the application they are installing is legitimate.

SpyEye for Android, now detected by Sophos products as Andr/Spitmo-A, uses a slightly different but similar social engineering technique.

When the user of a PC infected by the Windows version of SpyEye visits a targeted banking website, and when the site is using mobile transaction authorization numbers, the SpyEye Trojan may inject HTML content which will instruct the user to download and install the Android program to be used for transaction authorisation.

The SpyEye application package does not show up as an icon in the "All apps" menu, so the user will only be able to find the package when the "Manage Applications" is launched from the mobile device's settings.

The application uses the display name "System" so that it seems like a standard Android system application.

SpyEye for Android installed

When installed, Zeus for Android displayed a fake activation screen, and Spitmo is again very similar.

However, Spitmo uses different tactics to convince the user that it is a legitimate application.

It applies for the following Android permissions:

android.provider.Telephony.SMS_RECEIVED
android.intent.action.NEW_OUTGOING_CALL

This allows the malware to intercept outgoing phone calls.

When a number is dialed, the call is intercepted before the connection is made and the dialed phone number is matched to a special number specified by the attacker in the alleged helper application installation instructions.

If the number matches, Spitmo displays a fake activation number, which is always 251340.

SpyEye for Android - fake activation

Once installed, the functionality of Zeus and SpyEye are pretty much the same.

A broadcast receiver intercepts all received SMS text messages and sends them to a command and control server using an HTTP POST request. The submitted information includes the sender's number and the full content of the message.

So far, it does not seem that this attack is widespread, but it shows that the developers of major malicious toolkits are closely watching their competition and matching the latest features.

It also seems that support for Android is increasingly becoming an important part of their product strategy.

, , , ,

You might like

8 Responses to SpyEye targeting Android users - just a copy of Zeus's strategy?

  1. peter · 944 days ago

    It's always good to know what's out there! Thanx for keeping us up to date!

  2. Ann · 944 days ago

    OK, so that's how to recognise it. Now how do we protect and/or purge our Androids?

  3. Elissa · 944 days ago

    I have an android phone and am not particularly computer savy so please forgive my ignorance but is there antivirus software I can put on my phone?

    • Dale · 940 days ago

      Elissa,
      Yes there are 3 antivirus programs that I know of that are good for Android Phones. First there is AVG, which is what I use. There is a free and a paid version. The paid version I use is $9.99. Second there is Norton A/V for Android. There is a free and paid version. You have to pay to get the most benefit out of it . Though I believe it is $29.99 a year. Then there is Lookout, which I don't recommend because it seems to really eat through the battery life. There again you have to pay to get the full benefits from it.
      But all 3 of these antiviruses are available on the android market. Just use the search function to query the market for them and choose the one you like. There are also others, but I would stick with the major makers of antivirus software for computers.

  4. Martin · 944 days ago

    So, starting with the big question, how do you protect your smart-phone from malware? Do Sophos and their competitors have malware scanning apps for smart-phones? If not, how long will it be before they do?
    I'm just about to buy my first smart-phone. Thanks for any answers.

  5. Martin · 943 days ago

    So, starting with the big question, how do you protect your smart-phone from malware? Do Sophos and their competitors have malware scanning apps for smart-phones? If not, how long will it be before they do?

  6. TMatt · 941 days ago

    Hvala Vanja. Pozdrav iz Hrvatske!

  7. pssyche · 940 days ago

    There are several anti-malware products available on the Android Market folks. Your phone should have the Market installed as an app by default but you can visit from a computer browser too. Off the top of my head, McAfee and Lookout both have a product available there.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Vanja is a Principal Virus Researcher in SophosLabs. He has been working for Sophos since 1998. His major interests include automated analysis systems, honeypots and malware for mobile devices. Vanja is always ready for a good discussion on various security topics.