Zitmo evolving into a botnet says Fortinet

• Surge detected in Android-based mobile adware in last three months
• New evidence suggests mobile banking Trojan, Zitmo is evolving into a botnet

NEW evidence suggests that the Zitmo (Zeus-in-the-Mobile) mobile banking Trojan is evolving into a botnet.
 
Zitmo is the notorious mobile component of the Zeus banking Trojan that circumvents two-factor authentication by intercepting SMS confirmation codes to access bank accounts.
 
According to a new threat landscape research report by network security firm Fortinet, researchers have discovered that Zitmo has evolved into a more complex threat, with new versions recently released for Android and Blackberry.
 
The new versions for Android and Blackberry have now added botnet-like features, such as enabling cybercriminals to control the Trojan via SMS commands.
 
“The new version of Zitmo may already be in the wild in Asia and Europe. While we’re detecting only a few instances of the malware in those regions, it’s leading us to believe the code is currently being tested by its authors or deployed for very specific, targeted attacks,” said Guillaume Lovet, senior manager of Fortinet's FortiGuard Labs Threat Response Team.
 
According to Fortinet, as more local banks and online merchants roll out two-factor authentication − usually through the use of an SMS code to bring the second authentication factor and confirm a transaction − Android and Blackberry users should be mindful anytime their financial institution asks them to install software onto their computing device, as this is something banks rarely if ever request from their customers.
 
The same research report also revealed that a surge was detected in Android-based mobile adware with a volume of activity comparable to Netsky.PP, one of the most prolific spam generators encountered in Internet history.
 
Lovet said the surge in Android adware can most likely be attributed to users installing on their mobile devices legitimate applications that contain the embedded adware code.
 
“It suggests that someone or some group is making money, most likely from rogue advertising affiliate programs,” he added.
 
According to Fortinet, these types of applications require too many unnecessary rights for a normal application, indicating it has a hidden agenda.
 
Such data request includes permission to access parts of the device that are irrelevant to the application, to get access to the device’s browser history, bookmarks contact data, phone logs and identity as well as system log files.
 
Two adware variants Android/NewyearL and Android/Plankton were detected by close to 1% of all FortiGuard monitoring systems in the APAC and EMEA regions and 4% in the Americas.
 
These two adware variants cover various applications that embed a common toolset for unwanted advertisements displayed on the mobile’s status bar, user tracking through their International Mobile Equipment Identity (IMEI) number and dropping of icons on the device’s desktop.