It’s a new, exciting era for Trojan builders. The mobile space in 2012 is a virginal, unchartered territory that attracts the talent and creativity of black hatters and malware writers like moths to a flame. If you think about it, the entire mobile security
space has huge ‘Here there be monsters’ sections where the cartographers don’t really know what to draw. With its unique architecture, security platforms and operating systems it’s a challenging, yet highly rewarding exercise.
While most Trojan kits are still focused on building scalable, highly effective web harvesting weapons with a growing arsenal of tricks, demand for mobile-based attacks is growing. It’s been slow, but it’s there. In a few years’ time, those Trojan developers
who don’t support mobile platforms will go out of business. And I can promise you they have no intention whatsoever of doing so.
Plenty of Trojans affecting the popular Android mobile platform have been reported over the last couple of years. Zitmo, a Zeus Trojan add-on designed to capture and redirect SMS messages containing one-time-passwords, was launched in 2010 (good coverage
here). Similar functionality not tied with the famous Zeus Trojan was reported in the Philippines even earlier. Other Trojans take control over the mobile device so the attacker can use unauthorized premium services or long distance calls, and there are
spyware programs that allow you to eavesdrop, get data, and do other useful things.
A new blog post from MacAfee shows
another step in the evolutionary ladder for mobile Trojans. It’s an Android app that poses as a legit one-time-password generator used by Spanish banks but is actually a man in the middle Trojan that steals both the login password as well as the OTP, collects
some device identifiers as well, and can also be used as back door for future malicious applications.
Why Android, by the way? Well, security researchers differ in their observations around the relative vulnerability of mobile platforms. In a ‘breaking
news – up to the minute hacking threats’ panel I moderated RSA Conference 2012 we had a lively debate over the matter. Kaspersky Lab’s Roel Schouwenberg maintained that the Android app market, being less controlled, is a fertile ground for malicious apps
as opposed to other platforms; Kevin Mahaffey, CTO of mobile security company Lookout argued that no mobile platforms can be singled out as particularly tough to hack, and the fact Android is more attacked can be explained by market forces in the supply and
demand for mobile malware. The ecosystem of Android exploits and malware know-how developed faster than in other platforms, so it’s easier to join the trend.
The new mobile Trojan is more a social engineering attack than a Zeus-style silent Trojan that harvests mobile device traffic. It’s not the long awaited Zeus for Mobile; it cannot sneak into mobile banking applications and listen in; it is not even designed
to capture mobile browsing traffic. It’s a standalone attack that leverages the biggest weakness in the mobile space: the users.
In order for this to work, you first need to download the app. My colleague Bob Griffin wrote about app monitoring in his
review of the RSA Conference innovation sandbox; it’s not an easy problem to solve. Then you need to install the app and respond to its social engineering interception not when you bank online but rather when the Trojan itself decides to trigger itself.
Still, chances are it will be quite effective. If someone fell for the first step – the download – chances are they’ll fall for any following steps as well.
People’s common sense fails even in the web environment they’ve been using for decades; it’s safe to assume it will fail also in the new, highly dynamic mobile environment. It’s unchartered territory for everyone, and that’s the beauty of it from a cybercriminal
perspective. We should expect surprises, creativity and feats of social engineering that can only work in these mobile times.