This year, we’ve seen the number of malware threats targeting Android surpass one million. But along with the staggering number, is a clearer picture of the industrial nature of Android malware, where winning strategies and code are re-used in totally new ways. This week’s Mobile Threat Monday looks at newly detected Trojan which appears to have older roots on a totally different platform.
This Trojan appears to be masquerading as an official app for the Banca March, a Spanish bank headquartered in Palma de Mallorca, and was detected by the security company F-Secure. It operates under several aliases, though most are variations of “Bancamarch.”
In their analysis, F-Secure found that the Trojan collected information about the infected device, such as: IMEI number, phone model, OS version, and the country where the device is operating. It also called and sent messages to a specific phone number.
The strange thing about this malware? The number it sends your stolen information to is the same used by the Spitmo malware that targeted Symbian phones back in 2010. “We also suspect that it’s a component of another malware, possible a banking Trojan that runs on PC,” F-Secure told SecurityWatch. However, F-Secure only recently began gathering data on this new Trojan, so it’s too soon to say for sure.
Spitmo is the mobile version of SpyEye, the name being an acronym of “SpyEye In the Mobile.” It’s similar to Zitmo, the mobile version of the Zeus banking Trojan, which is a perennial threat to Android users. According to a 2011 blog post from McAfee, one of the defining differences between Zitmo and Spitmo is that “SpyEye also does not run in the background as a service; it is not active until a predetermined number […] is dialed or an SMS is received.”
Interestingly, a reverse number search for the first digits of the recycled number suggest that it’s a mobile phone number registered in the UK. Perhaps its reappearance here is because functioning numbers for illegal operations are hard to come by, or that it was sold as part of a larger Spitmo-based exploit kit.
Just the Beginning?
What worries me is that while this Trojan bears some resemblance to Spitmo, it doesn’t do the worst of what SpyEye is capable of—suggesting that it was an out-of-the-box solution for the malware creator, or that it could be the beginning of a much worse attack. Given the kind of information it’s gathering, targeted malware or spam seem like possible follow ups.
To me, the mysterious phone number shows how Android malware has grown and mutated in such a short time. The strategies and successful malware are quickly taken apart and repackaged by an ever-growing community of attackers, eager to apply them to new regions and new scams. The more things change, the more things stay the same.