Researchers from S21sec, a Spanish security company, discovered earlier this month a version of Zeus that identifies the make of mobile phones and their numbers by injecting HTML fields over a bank’s Web page when a user starts a transaction. Banks are increasingly adopting systems that send a one-time passcode that must be entered in order to complete a transaction, to mobile phones. Using a person’s mobile phone in two-factor authentication is cheaper than sending out small devices that generate one-time passcodes.
The attackers will send the victim a text message with a link to a malicious Web site, prompting the user to download an “update” for their device. The software — which has a valid signing certificate — appears to be legitimate, but the software is designed to intercept and then forward by text message the one-time passcode used in online banking transactions to the attackers’ phone . The malware is still transmitting data to hackers, although U.K. police have been notified.
Regular Zeus works by capturing the log-in and password of victims’ bank accounts. With banks using one-time passcodes sent by SMS, Zeus’ operators would have to wait until a victim started an online transaction, received the one-time passcode on their phone and then entered it into the Web browser. Zeus would have to grab the code and quickly initiate a new transaction before the code expires. That method requires the attacker to wait until the victim starts a transaction. The new Zeus mobile component means they automatically receive the one-time passcode without any action by the victim, providing additional time to complete the transaction.
The mobile Zeus malware can infect Symbian Series 60 devices or BlackBerries. The iPhone is so far not affected.