Earlier this week Polish Security Consultant, Piotr Konieczny reported that operators of the Zeus botnet are attempting to reach into the mobile sphere with two new variants targeting users on Window Mobile and Symbian phones. “Zeus in the Mobile” (or Zitmo), are again attempting to authenticate bank transactions by intercepting the mTan authentication code sent to mobile devices. An mTAN (mobile Transaction Authentication Number) is used by some online banking services in Europe to authorize financial transactions by sending an SMS to the customer’s phone. TANs were put in to add an extra layer of security in order to complete large transactions. It is believed that Zitmo was developed to circumvent this added layer of security implemented by the banks.
How it Works
Zeus is a well-known PC-botnet that intercepts banking information by luring a victim (on their PC) into providing their banking logins and passwords, and information about their mobile phone number. From there, the attackers send an SMS to the victim’s device, which includes a URL to a ‘certificate update’ (which is actually a Zeus Trojan for particular smartphone platform). If a user downloads the infected ‘certificate update’, any incoming SMS messages (including mTAN authentication codes) are resent silently to a predefined cell phone number controlled by the attackers. Once the attackers have the mTAN code, they can confirm any banking transactions they initiated from the stolen account. It was found that both Zeus variants reported back to a British command and control mobile phone number once they successfully infiltrated a device.
Who is Affected?
Currently there is only evidence that customers of ING Bank in Poland using either Windows Mobile or Symbian phones could be infected by Zitmo.
How to Stay Safe
Only visit websites you trust on your PC and mobile device.
Do not enter phone information on suspicious web sites.
Use caution when clicking on suspicious links in SMS messages.
Access your online banking site from a trusted computer system that is running security software.
We’ll keep you updated as we learn more. If you have questions about this or other malware, feel free to contact us at security-at-lookout.com.
Today we are introducing a new concept called Lookout Labs and rolling out our first project: Plan B. Lookout Labs was created to explore and test out new ideas that push the boundaries of mobile. Projects developed in Lookout Labs are experimental by nature and are developed to showcase new concepts and facilitate an exchange between Lookout and the mobile community. Our engineers and other staff come up with new ideas every day, and we wanted a way to get the best ones implemented and released to the market quickly. They may only be available for a limited time, so make sure you check out our latest projects when they are first rolled out.
As part of Lookout Labs, today we are releasing our first project called Plan B. Plan B for Android is the last resort to find your missing phone, and is available for Android 2.2 platforms and earlier. Plan B is the first and only ‘find my phone’ app that you can download AFTER you’ve already lost your phone to locate it.
We’ve all had a friend who has lost their phone, but didn’t have Lookout or another ‘find my phone app’ already on their phone. Plan B was created for them. Plan B is not a replacement for Lookout and is designed to be a one-time use app. It’s a backup plan for anyone who’s lost their phone and wants to get it back.
Install Plan B to the phone that you are trying to find. (It’s important to note that you need to download Plan B from the web version of the Android Market, not the Android Market app market on your phone.)As soon as it is installed, Plan B will send an email to your Gmail account telling you it’s locating your phone.
Once Plan B has located your phone, check your Gmail again to find a link to a Google Map of where your phone is located. For 10 minutes Plan B will send you a series of consecutive emails with refined location updates every few minutes.
If your phone seems to be on the move, and you aren’t able to find your phone within ten minutes of downloading Plan B, you can text yourself the word “locate” from a friend’s phone in order to start the locate process again.
The RSA conference –one of the biggest security conferences – is being held in San Francisco this week. Our CEO, John Hering, was invited to moderate one of the few panels on mobile security and he was joined by prominent members of the mobile ecosystem:
Ed Amoroso AT&T
Ian Robertson, RIM
Joshua Davis, Qualcomm
Alex Stamos, iSec
First, the panel tackled the topic of the current mobile security situation. A panelist suggested that the mobile “infection vector right now relies on duping users.” If you take a look at the majority of recent threats, that point rings true. The most advanced and recent pieces of malware we’ve seen are trojans hidden in otherwise seemingly safe apps – both HongTouTou and Geinimi. In addition, the panel noted that patching vulnerabilities in the mobile ecosystem is extremely challenging for both consumer and enterprise audiences.
When asked about obstacles to keeping mobile phones and networks safe, John got a series of opinions:
Standard communities need to proactively address the area
Enterprises need better tools to protect and manage devices
It needs to be easier for developers to make safe mobile software
Solutions are needed for quick, easy mobile device patching
Each offered their own prediction as to what the mobile device softspot for attack vectors would be. Someone suggests legacy GSM issues, others say it is the mobile web browser and active synch.
While there occasionally was the difference of opinion about how to solve the mobile security problem, there was a general consensus that we’ll probably experience a major security attack in the next 18 months. I think Ed said it best, “We’re in the eye of the storm now,” and we should use 2011 to better prepare ourselves for what may come.
Today we released the second report from our App Genome Project, a dataset created to map more than 500,000 mobile apps across different device platforms and app markets. The App Genome Project is an ongoing effort to provide visibility into mobile market dynamics, gain insight into how mobile apps access personal data and sensitive capabilities on mobile devices, and identify security threats in the wild.
From the latest round of App Genome analysis, it is clear that the Android Market is rapidly maturing. This emerging market has seen a tremendous increase in the number of new apps available in the market — a 127% growth in the number of apps since August 2010 — and three times that of the Apple App Store. Plus the proportion of paid apps increased dramatically as well. To see interactive graphs and the full report click here.
We also analyzed specific alternative app markets for both Android and iOS. As one might expect, that while these markets increase users’ access to apps, some also have a higher number of apps that could be repackaged with malware or illegitimate ad code. Repackaged applications found on the Android alternative markets can serve as vectors for illegitimate activities, whether it’s ad fraud (the inclusion of illegitimate ad code), piracy or malicious activities like bundling malware. HongTouTou (also known as ADRD), the most recent piece of Android malware disclosed yesterday, and Geimini are both examples of legitimate applications that were repackaged with malware.
As the overall app ecosystem continues to evolve with the addition of new alternative app markets and continued growth in the competing platforms, we expect to see an increasing number of threats to privacy and security. Stay tuned for regular updates to the App Genome Project to track how the mobile app market continues to change.
On the heels of the Geinimi Trojan, Lookout has discovered a new Android Trojan that is repackaged in popular Android apps and distributed through app markets and forums serving Chinese-speaking users. Called HongTouTou (also known as ADRD trojan), this malware requests additional user permissions and appears to be executing a set of search-related activities in the background (unknown to the user) including emulating keyword searches and clicks on specific search results.
Lookout has already delivered an over-the-air update for its Android users to protect them against known instances of HongTouTou. If you are already a Lookout user (free or premium), you are already protected and no action is needed.
How it Works:
HongTouTou is included in repackaged apps made available through a variety of alternative app markets and forums targeting Chinese-speaking users. To date Lookout security researchers have identified fourteen separate instances of the HongTouTou Trojan repackaged in Android apps including RoboDefense (a well known game) and a variety of wallpaper apps.
Apps with HongTouTou attached request the following permissions over and above their legitimate counterparts:
When an app containing HongTouTou starts, it sends encrypted data containing the device IMEI and the IMSI to a remote host. In response, the HongTouTou receives a set of search engine target URIs and a set of search keywords to send as queries. HongTouTou then emulates the search process using these keywords to create searches in the search engine, crawls the top search results for those keywords, and emulates clicks on specific results. To the search engine, the searches appear to be coming from a mobile user using a mobile web browser with User-Agent corresponding to the UCWeb browser (J2ME/UCWEB220.127.116.11).
HongTouTou can also process a command instructing it to download an APK (Android package file). Although we have not yet seen it attempt to install the APK, the APK appears to have the ability to monitor SMS conversations and insert content related to specific keywords (potentially spam) into the SMS conversation.
Who is Affected:
Currently we only have evidence that HongTouTou is distributed through alternative Chinese app markets and forums. To download an app from a third-party app store, Android users need to enable the installation of apps from “Unknown sources” (often called “sideloading”).
While we have seen the HongTouTou Trojan packaged in fourteen separate Android applications including RoboDefense and a variety of wallpaper apps, it is important to remember that even though these apps are repackaged with the Trojan, the original versions available in the official Google Android Market have not been affected.
As stated above, Lookout has already delivered an update for its Android users to protect them against known instances of the Trojan.
How to Stay Safe:
Only download apps from trusted sources, such as reputable app markets. Remember to look at the developer name, reviews, and star ratings.
Always check the permissions an app requests. Use common sense to ensure that the permissions an app requests match the features the app provides.
Be alert for unusual behavior on your phone. This behavior could be a sign that your phone is infected. These behaviors may include unusual SMS or network activity.
Download a mobile security app for your phone that scans every app you download to ensure it’s safe. Lookout users automatically receive protection against this Trojan.
As the number of malware exploits on smartphones increase, it is more important than ever to pay attention to what you’re downloading. Stay alert and carefully review every app you download. Stay tuned for more details on this threat.
Being in the mobile industry, it’s a lot of fun to take a step back and see how things have changed since the first mobile phone. From clunky “Zack Morris” phones to the sleek smartphones of today, the evolution of cell phones has been fast-paced. It’s hard to imagine that 25 years ago, a cell phone battery would only hold out for 30 minutes of talk time, or that cell phone users couldn’t put their phones on vibrate until 1993. From the monolithic phones of the 1980’s to the web-capable phones that are commonplace these days, it’s clear that the next 25 years of cell phone evolution are going to be just as momentous as the last 25 years.
The smartphone race is heating up. Earlier this week, Google’s Android platform took the top slot as the world leading smartphone platform. And next week, the best of the best in mobile are heading to Barcelona to attend Mobile World Congress – the mobile event of the year. The Lookout team can’t wait to see what’s to come. With all the talk about 4G, tablets, LTE, etc., we are reaching the tipping point for mobile. The next wave of devices are going to dramatically change our lives. . . again.
In anticipation of a look at what’s to come, we took some time to look back and see how quickly mobile evolved, and we spent time thinking about our first phones. Click here or on the image above to see the evolution of the cell phone to the smartphone.
We’re curious to hear from our Lookout users. What about you? What was the first cell phone you ever purchased? Share your story on Facebook!
Lookout recently patched a security vulnerability in our Android app. The vulnerability, which was first reported by Tavis Ormandy of the Google Security Team, is not known to have compromised any devices or user data. We worked with Tavis and Google to fix the problem and release an update through the Android Market and other distribution points.
The issue is patched in versions 5.1.1 and above. To check which version of Lookout you are running, open the Lookout app on your phone, click the menu button, click About and the version number is at the bottom of the screen. If you are running version 5.1.1 or higher, no action is required. If not, you should upgrade via the Android Market or by downloading the app directly.