printer friendly version

First SpyEye attack on Android now in the wild

Trusteer intelligence has spotted the first SpyEye variant, called SPITMO, attacking Android devices in the wild. According to Amit Klein, Trusteer’s chief technology officer, the threat posed by DriodOS/Spitmo has escalated the danger of SpyEye now that this malicious software has been able to shift its delivery and infection methods.

Amit clarifies, “We always said it was just a matter of time before the true potential of SpitMo was realised. When it first emerged back in April F-Secure reported, in its blog, that it was targeting European Banks. The trojan injected fields into a bank's Webpage asking the customer to input his mobile phone number and the IMEI of the phone. The fraudster then needed to follow a cumbersome three stage sequence - get the IMEI number; generate a certificate; then release an updated installer. This process could take up to three days.

“We could not believe fraudsters would go to that much effort just to steal a couple of SMSs - and it appears we were right. Information gathered by Trusteer's Intelligence Centre has discovered a new far more intuitive, and modern, approach of SPITMO for Android now active in the wild.”

SPITMO – Moving on to Android

Looking at the attack vector in action, Amit explains, “When a user browses to the targeted bank a message is injected presenting a ‘new’ mandatory security measure, enforced by the bank, in order to use its online banking service. The initiative pretends to be an Android application that protects the phone’s SMS messages from being intercepted and will protect the user against fraud. How is that for irony.”

Once the user clicks on ‘set the application’ they are given further instructions to walk them though downloading and installing the application.

To complete the installation, the user is instructed to dial the number ‘325000’; the call is intercepted by the Android malware and an alleged activation code is presented, to be submitted later in to the ‘bank’s site’. Besides concealing the true nature of the application, this activation code does not serve any legitimate purpose.

Once the Trojan has successfully installed, all incoming SMS messages will be intercepted and transferred to the attacker’s Command and Control server (C&C). A code snippet is run when an SMS is received, creating a string, which will later be appended as a query string to a GET HTTP request, to be sent to the attacker's drop zone.

Amit adds, “When examining the drop URLs, four of the domain names in use are not registered – yet. However, one of them is not new in relation to SpyEye - the domain ‘124ffsaf.com’, and has actually been hopping around different IPs in several locations around the world. This attack, at the moment, is yet to gain momentum but that is just a matter of time. This is a very real early warning and I am pretty sure it has only just started. I am tempted to say ‘to be continued…’

“What makes all of this so scary is that the application is not visible on the device’s dashboard, making it virtually undetectable, so users are not aware of its presence and will struggle to get rid of it.

“Organisations and individuals need to act now and protect themselves as this variant has traits to become a more serious threat. My advice is to install a desktop browser security solution as part of a multilayered security approach.”

Share this article:

Further reading: