Zitmo trojan attacking Android bank transactions

Zitmo, a Trojan spyware app that poses as banking activation software, has now been modified to attack Android-based devices. The virus, which steals financial transaction information, has previously been successfully used on Symbian, BlackBerry and Windows Mobile devices.

Axelle Apvrille, an author at the security blog Fortinet, said Zitmo is being put to use by the ZeuS botnet gang.

“The malware poses as a banking activation application,” she said. “In the background, it listens to all incoming SMS messages and forwards them to a remote Web server. It’s simple, but just enough for the ZeuS gang to grab your banking mTANs.”

MTAN stands for “mobile transaction authentication number” or, if you’re not a banker, a single-use password for approving bank transactions while you’re on the go. MTANs are sent by text message between the bank and customer, and are recommended for use by the Federal Financial Institutions Examinations Council because they offer a type of authentication that doesn’t go through regular channels. In other words, they are supposed to be harder to crack.

The Zitmo attack works because ZeuS figured out how to get in early. The malware first infects a user’s PC and waits for the user to visit their bank site on their phone. Posing as a new layer of security software, Zitmo prompts users to download itself. When that happens, it controls the user’s PC and phone, and will continue sending crucial information to outside parties.