We have been investigating a new piece of Android malware that was being sent out to German Android users as part of a phishing campaign targeting customers of Postbank.
ZertSecurity is a banking trojan which masquerades as a certificate security application that asks the user to input their bank account number and PIN.
ZertSecurity was found in the Google Play store, although less than 100 copies had been downloaded in the 30 or so days that it was live. It has since been removed by Google.
All Lookout users are protected against this threat.
In contrast to most other banking trojans, ZertSecurity is standalone with no corresponding desktop component as has normally been seen in banking threats like Zitmo/Citmo. This is because in this case, the attackers are able to collect everything they need with one simple form.
Since Postbank requires Account number and PIN for web access, by phishing for these details and then controlling all SMS sent to the user’s mobile, the people behind this attack are able to:
- Access the web account
- Review or make transactions
- Intercept any two factor authentication messages sent over SMS.
In particular this means they would be able to authenticate transactions that they create, by hijacking the mTAN SMS.
How it works
Links to ZertSecurity’s installation website were pushed out as part of a phishing campaign that targeted users in Germany. All emails seen so far have masqueraded as emails from Postbank and contain messages along these lines:
- Following an account audit it has been identified that your information is out of date, and your account access has been limited. You need to click on the attached link in order to update your account and restore access.
- After a certain date, It will only be possible to use the Postbank mobile TAN service if you install the SSL certificate from this application. Use the attached link to install the SSL certificate on your smartphone right now now.
If the link is followed from anything other than an Android device, the installation website displays “Certificate was successfully installed”, and nothing further happens.
Following the link using an Android device takes the user to a website which invites them to install the fake security certificate application, and provides instructions to guide users through the installation process:
The site even provides clear instructions on how to turn off the “Trusted sources” setting and informs the user to ignore any security warnings as the “certificate application is safe”.
Once activated, the application brings up a web form requesting the user’s account number and PIN.
Once the account number and PIN have been successfully entered, the application displays a screen informing the user that the certificate has been successfully installed. There is nothing further for the user to interact with at this point.
The malware stores data entered into the account number and text fields in its config file and sends a copy to its configured command and control server (C&C). Data sent to the server and stored within its config file is encrypted using AES and then encoded using Base64.
While the malware is running, it also sends the bodies of any SMS’s received to the C&C server while also preventing the SMS’s from being displayed to the device owner. In order to do this the malware registers an SMS receiver with a very high priority (1000). This allows the malware to receive the messages before any other application gets a chance.
The likelihood of infection is very low.
The application is distributed as part of a small phishing campaign targeting users in Germany, and detections have been in Germany only. Also less than 100 copies of the app had been downloaded prior to its removal by Google.
Command & Control Servers:
ZertSecurity uses two command and control servers, specified within the encrypted config file. All C&C servers are down at this time.
 ZertSecurity was first discovered by Heise Security.