{"id":9892,"date":"2011-07-11T18:58:21","date_gmt":"2011-07-12T01:58:21","guid":{"rendered":"http:\/\/blogs.mcafee.com\/?p=9892"},"modified":"2025-05-29T03:40:38","modified_gmt":"2025-05-29T10:40:38","slug":"dissecting-zeus-for-android-or-is-it-just-an-sms-spyware","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/dissecting-zeus-for-android-or-is-it-just-an-sms-spyware\/","title":{"rendered":"Dissecting Zeus for Android (or Is It Just SMS Spyware?)"},"content":{"rendered":"

Zeus, also known as ZBot, is one of best-known malware in the industry. The main purpose of this malware is to steal banking credentials, allowing attackers to commit electronic fraud. Until 2010, Zeus existed only for personal computers since this platform was (and still is) the principal medium for electronic transactions. However, due to the increasing popularity of mobile devices and the fact that many companies now allow the sending of mTANs (Mobile Transaction Authentication Number) via SMS as a second factor of authentication, in September of 2010 a new variant of Zeus\u00a0was discovered. This one targets mobile devices (Symbian, Blackberry, and Windows Mobile) and will intercept SMS\u2019s sent to the user by the bank and forward the captured mTANs to a remote server to defeat the SMS-based banking two-factor authentication.<\/p>\n

\u201cLately there\u2019s been an active discussion on technical forums regarding Zeus targeting Android users\u201d said Axelle Apvrille of Fortinet, which, along with other security companies like F-Secure, s21sec, and Kaspersky, discovered a Zeus version for one of the most prevalent and popular operating systems for smartphones: Zitmo for Android. Apparently the sample <\/a>\u201cwas served to devices running the Google Android OS by a web server that was configured to deliver Zbot malware to multiple platforms.”<\/p>\n

Let\u2019s take a look to this application to figure out whether it\u2019s related in some way to the Zeus family.\u00a0At a first sight, the malicious application will try to impersonate the security application, Rapport, which tries to prevent man-in-the-browser malware and man-in-the-middle attacks. In fact, the icon is very similar to the official logo of Trusteer:<\/p>\n

\"\"<\/a><\/p>\n

But before the application is installed, Android will always show the permissions required by the application to be executed in the device. In this case, the permissions are RECEIVE_SMS, INTERNET, and READ_PHONE_STATE, which are not suspicious in this case because the application is running a phishing attack while posing as a security application that “must receive” an SMS second-factor authentication. According to the Android Manifest found inside the original apk file, the application is composed of an Activity (that is going to be executed once the user double-clicks the fake icon), a service (which will run in the background without the user’s knowledge), and a class named \u201cSmsReceiver,\u201d which execute every time the user receives an SMS:<\/p>\n

\"\"<\/a><\/p>\n

The activation will display a fake user interface acting as the security application Trusteer Rapport<\/a> showing the user an \u201cactivation key\u201d that should be used on the bank website, but in fact the number displayed is the phone’s International Mobile Equipment Identity separated by a hyphen (in this example the number displayed is 0 because the application was executed on an emulator):<\/p>\n

\"\"<\/a><\/p>\n

Once the application is installed, the code inside SmsReciver will run every time the user receives an SMS. This code passes the captured SMS to the service \u201cMainService,\u201d which starts a thread to collect the originating address (sender) and the message body of each SMS and stores that information in a specific structure attribute\/value pair that is commonly used to transfer data via HTTP:<\/a><\/p>\n

\"\"<\/a><\/p>\n

Once the sender and the body of the message is collected, the IMEI of the device will be collected as well and all the information will be sent to a remote server using a JSON object using a POST request method:<\/p>\n

\"\"<\/a><\/p>\n

The Elements Behind the Spyware<\/h2>\n

The key question is whether this malware is the Zitmo version for Android. From our analysis, the sample is probably only an SMS spyware. Here’s why:<\/p>\n