Android malware spies on your SMS messages – but is it part of the Zeus family?

Android malwareThe Symbian, Windows Mobile and Blackberry modules of the notorious Zeus malware toolkit (also known as ZBot) have been known about for some months, and it has been clear that Zeus gang was interested in developing malware for mobile platforms.

However, until now we have not seen any evidence of Zeus targeting users who own Android or iOS (iPhone/iPad) devices.

This fact was quite surprising to us, considering the popularity of the Android and iOS platforms and the growing prevalence of malware being written for the Google Android operating system in particular.

In the last couple of days, however, there has been quite a lot of discussion on the mobile malware analysis mailing lists about a version of a an Android version of Zeus.

We eventually concluded that this was a malicious application that Sophos products have been detecting as Andr/SMSRep-B since 31st May 2011.

The malicious application pretends to be an Android version of Trusteer Rapport banking security tool, and was served to devices running the Google Android OS by a web server which was set up to deliver Zbot malware to multiple platforms.

After the fact, it was not difficult to connect the Android application with Zeus toolkit, although we could not conclude 100% that there was a connection.

The installed application uses a stolen Rapport icon and displays a simple screen when launched on affected device.

Zeus Rapport

The fake Rapport application registers a Broadcast receiver which intercepts all received SMS messages and forwards the messages to a malicious web server using HTTP POST requests. The stolen SMS messages are encoded using a JSON encoding scheme, often used by
various web services.

Although the application is clearly designed to steal the content of SMS messages, its not very sophisticated.

That’s why we cannot be 100% sure that this is indeed a part of the Zeus kit. The URL of the command and control server is hard-coded into the source code, for example, which makes the application quite inflexible for installation on an alternative server.

Nevertheless, this malicious Android application is interesting as it combines spyware functionality with the concept of fake security software. As we’ve seen recently in the Mac OS X world, fake anti-virus software is one of the most common themes adopted by malicious hackers in their attacks.

Eventually, the doubt whether this is really part of the Zeus family or not remains.

I suppose only the developers of Zeus kit know for certain. Unfortunately I have no means of contacting them, and even if I did I doubt they would be prepared to confirm or deny this theory.