More than a year ago we saw for the first time how ZeuS had incorporated a mobile component in an attempt to steal the SMS sent by the banks while making a transfer. Later, SpyEye incorporated the same technique.
Recently, we have seen a new campaign affecting Spanish banks, which urges the user to install a component if their phone is Android. While the first samples came from Symbian and BlackBerry, later versions incorporated Android among its objectives. The widespread use of this platform, along with the ease of developing applications for it, makes it one of the favourite objectives of malware creators.
Infection of a mobile device is not a trivial task, so the user must be tricked, through social engineering, into infecting themselves. For this reason, it is important to understand the risks, as a user who is unaware of the threat that their mobile can be infected, is completely vulnerable to this attack.
In the case in hand, upon visiting the banking entity’s website, an infected computer will try to convince the user to install an application on the mobile phone, making them believe that they are installing a program to secure communications.
Image 1: The user is asked for their phone operating system and phone number (Spanish)
Then comes the verification of the installation, asking for a activation code that the mobile displays once the application is installed.
Image 2: The user confirms an activation code received on their mobile (Spanish)
Finally, a successful installation message is displayed to the user.
Image 3: Application installed successfully – you are now protected (Spanish)
If the mobile is an Android phone, SpyEye simply informs the user that they do not require any further security.
Image 4: Your phone does not require any further security (Spanish)
Despite the fact that many times we have heard the term "SpyEye for Android" incorrectly used, we must be clear that the component that infects mobiles is not a version of SpyEye, as it is not capable of intercepting on-line banking navigation or anything similar. This is a very simple application, able to forward received SMSs to an external server using a simple GET request with the data as parameters. It is a merely a complement, totally unrelated to the malware that infects the computer and it could be used interchangeably with any banking trojan.
As an example of the application’s simplicity, the encryption of the string containing the URI of the dropzone consists solely of swapping the values "=", "-" and "q", as can be seen in the following example, very similar to the original URI.
This means that we are facing a new infection campaign which, from a technical point of view, really adds nothing new, but we must stress that people need to understand this kind of threat to avoid falling into the trap.