Security Alert: Windows Malware Now Targeting Android OS

ZeuS and SpyEye, two malicious toolkits originally designed to steal data from Windows-based systems, are now targeting Android-powered tablets and mobile devices.

Key Facts

• Both ZeuS and SpyEye operate by social engineering Android users into downloading and installing an infected application.
• ZeuS’ Windows-based botnets are estimated to include approximately 3.6 million computers in the US alone. ZeuS has been used to access the credit card records of more than 15 US banks and has compromised over 74,000 FTP accounts on websites of companies including Bank of America, Cisco, Amazon, and BusinessWeek.
• SpyEye for Windows was used to steal 3.2M USD and is estimated to have comprimised more than 25,000 systems.

How You Can Help Protect Yourself

ZeuS and SpyEye are capable of stealing all forms of credentials, though they are primarily known as viruses that target victims’ banking credentials. Here’s how the Android versions work.

ZeuS for Andorid operates by prompting Android users to download an infected application designed to look similar to Trusteer Rapport’s baking security tool. Once the infected application is downloaded, ZeuS will forward all incoming text messages to a remote server. If the virus succeeds in stealing text messages that contain mobile transaction authentication number (mTAN) codes, then it may enable attackers  to successfully hack into the Android user’s secure accounts.

SpyEye attacks using a similar method. Once an infected application is downloaded, the SpyEye malware package submits a request to the Android user’s bank (via the user’s mobile banking application) in order to replace the user’s phone number of record with an attacker-controlled number. To authorize the phone number change, the attackers need to secure the confirmation code that the bank sends to the Android user’s original phone number. To this end, SpyEye injects a message into the user’s mobile banking session, prompting the Android user to enter the confirmation number into a fake webpage designed to look like their online banking portal. Once entered, the confirmation number is sent directly to the attackers.

To help guard against these threats:

• Never download an unsolicited application.
• Verify the sender of any messages prompting you to alter or share personal information.
• Require rig personnel to disable all mobile device functionality, except for the ability to make phone calls.
• Establish a policy that specifically outlines the types of devices that are permitted onboard company rigs and/or platforms.
• Make sure that all offshore wireless networks are protected by a firewall.
• Spread the word. Educated Android users are much less susceptible to becoming infected by ZeuS or SpyEye.

If your Android device does become infected, we recommend that you immediately remove the battery or otherwise disable the device, and then discard it.

Information listed here was sourced from:
ZeuS-in-the-Mobile – Facts and Theories, Securelist.com, October 6, 2011
ZeuS Trojan for Google Andorid Spotted, Krebsonsecurity.com, July 11, 2011
Zeus (Trojan), Wikipedia.com
Soldier SpyEyes a Jackpot, TrendMicro Malware Blog, September 14, 2011
SpyEye Changes Phone Numbers to Hijack Out of Band SMS Security, Trusteer.com, October 5, 2011