Defeating mTANs for profit
Axelle Apvrille and Kyle Yang
Zeus In The MObile –> ZITMO
Malware for Symbian OS > 9.0
Intercepts mTANs (one-time passwords sent over SMS)
Targeting Spanish online banks
Propagated on PC by Zeus botnet
First case seen of organized criminals exploiting mobile TANs
Zeus (AKA Zbot)
It’s a crimeware kit and not a single botnet (there are several)
Designed to steal banking credentials
Zitmo in a nutshell
Once Zeus has infected a pc, and the user initiates a transaction, Zeus detects the mobile number and attempts to propagates to the mobile device by sending the end-user an SMS to prompt the user to download a new certificate. Once this is installed the attacker can transfer the money at any time as the attacker has access to the online login information (stolen by Zeus through keylogging) and the mTAN for the transaction (stolen through Zitmo). The end-user never receives an SMS due to it being intercepted by Zitmo.
This means attackers can do the transfer at any point they wish without any user interaction.
Analysis of the Zitmo malware showed the program shared a lot of similarities with a Russian software called SMS Monitor which offers a lot of the same functions, but marketed as a parent controls and security audit tool.
However some of the code from SMS Monitor was published in Russian magazines. Maybe the code was stolen?
Reverse Engineering Zitmo
Three actors –> Victim, Administrator (bad guy) and Others (e.g. bank, friends, …)
2 separate processes –> INIT and SMS Processing Engine
Daemon listens for incoming SMS requests and checks them to see if they need to be processed (commands, mTANs, etc…) or forwarded to the phone’s inbox.
Due to the way Symbian works it’s not possible to hook directly into the “Listen to all SMS” function (in use by the phone). However it is possible to hook into the “Listen to all SMS containing the following”. By setting this to IfNotNULL, they can bypass the restriction of listening to ALL SMS messages.
Zitmo doesn’t block all SMS messages, but checks all incoming to check for appropriate actions. Blocking all SMS messages would result in the user becoming suspicious.
- ON / OFF (disable Zitmo)
- SET ADMIN xx
- ADD SENDER xx, xx / ALL
- REM SENDER xx, xx / ALL
- SET SENDER xx
- BLOCK ON / OFF (block incoming calls)
Protocol flaw: Anybody can claim to be the administrator!
How to 0wn the adm1n :
- Method 1: Send SET ADMIN command by SMS to the phone
- Method 2: Craft a new settings file
By using remote debugging on Symbian it’s easy to step through the process used to handle commands as they come in from the lab administrator phone.
Zitmo’s Hidden debug window
Zitmo was secretly writing to a hidden debug window
By putting in a breakpoint on the hide function and altering it to visible, it was possible to view the hidden debug window and watch status information change when receiving commands.
Very difficult to spot due to the lack of symptoms
One possible trigger to detection is that the application was delivered as a .sis/.sisx application and not as a certificate (as advertised)
It also shows in the installed applications list
Zitmo is signed by Symbian, therefore accepted by the phone –> Express Signed
This is not uncommon however as multiple malware has been signed using this abuse
- Shmoocon Schedule –> HERE
- Talk Synopsis –> HERE
- Zeus In The Mobile (Zitmo): Online Banking’s Two Factor Authentication Defeated – Fortinet Blog