Counterfeit Antivirus App Borrows from Zeus Trojan

Home > Counterfeit Antivirus App Borrows from Zeus Trojan

Author: John Duckgeischel on June 19, 2012 - 11:17 PM

Security research staff from Kaspersky Labs has discovered a mobile component of the Zeus banking malware that is being passed off as an Android security application. It is labeled as being the Android Security Suite Premium; however it is able to steal and upload SMS messages to a server in a remote location. Upon launch this rogue application shows an official looking shield image that has been used on Windows related antivirus malware programs known as FakeAV. "How could I ever forget such an identifiable logo," blogged Nathan Collier, a threat research analyst at antivirus firm Webroot. "Now that the developers of the popular FakeAV malware have entered into the mobile world expect to see a lot more variations of this."

Denis Maslennikov, a senior malware analyst at Kaspersky Lab indicates that this latest mobile malware may also be a variation of the Zitmo, also known as Zeus mobile. Cybercriminals have used Zitmo mobile apps working with a Zeus computer Trojan since 2010 to steal money from online bank accounts. Zitmo helps to capture mobile transaction authorization number (mTANs) transmitted by banks to account owners via SMS messages. Cybercriminals rely upon mTANs to get bank transactions started using stolen credentials. Kaspersky research personnel are still determining the distribution methodology used to spread this malware. Security experts caution that Android users should only download apps from the corporate Google Play website to safeguard against bogus applications.

add to: