Zitmo trojan for Android defeats two-factor authentication
Malware intercepts TANs sent via SMS.
A new variant of the Zitmo trojan has been discovered that infects
mobile devices running the Android platform and which intercepts SMS
messages from banks sending mobile TAN numbers, thus potentially
defeating two-factor authentication.
Two-factor authentication is used by many banks to prevent a
customer's online banking account being compromised by password
theft. One common way for it to work is for the customer to be required to enter both their password and a 'Transaction Authentication
Number' (TAN) - which is sent to their mobile device via SMS - in order to complete a transaction. This is considered to
be more secure as it is deemed unlikely that criminals would be able both to steal passwords and have access
to the user's mobile device.
However, it is certainly not impossible - as the Zitmo trojan (first discovered in September 2010 for Symbian
The trojan co-operates with the ZeuS crime kit (Zitmo stands for 'Zeus In The MObile'): when a user who is infected
with ZeuS visits one of a number of particular websites, code is injected into the session, prompting the user to enter their
mobile number as well as the model of the device. An SMS is then sent to that number with a link to the
malicious application, which is a Zitmo variant targeting that
particular operating system.
The combination of ZeuS, which steals the user's login credentials for the
online banking system, and Zitmo, which intercepts mobile TANs, gives
the criminals effective control of the user's bank account.
Two-factor authentication should still be a minimum requirement for
online banking, but neither banks nor their customers should
assume that this makes the systems undefeatable.
More at Fortinet's blog here and at CSIS;'s blog here.
Fortinet's Axelle Apvrille and Kyle Yang wrote a two-part
analysis of Zitmo for the March and April
editions of Virus Bulletin (subscription required).
will give a presentation on analysing mobile malware at
VB2011 later this year. The conference takes place 5-7 October in Barcelona. Registration for the event is now open.
android, authentication, banking, mobile, trojan, zeus, zitmo.
Posted on 11 July 2011 by Virus Bulletin.
del.icio.us digg this