Zeus Trojan targets mobile phone banking

AN EVOLVED VERSION of the Zeus trojan that targets mobile phones has been discovered.

Security firm F-Secure published an alert about the Zeus variant 'Mitmo', which targeted the ING bank in Poland. It attacks mobile phone based two-factor authentication by stealing mTANs, which are mobile authentication numbers sent via SMS by some banks to authorise an online transactions.

Mitmo works by presenting you with a modified version of the bank's website on your mobile by injecting HTML snippets. You give your login and password, and then you are prompted to provide your phone model and number. You are then given a SMS that has a link to a malicious application.

The app then monitors your SMS messages, which means the Zeus operator can get hold of mTANS, which can be sent without a user knowing. It now has your username, password and mTAN, all three of which when used in combination can be used to clear your account of cash.

The attack was first seen as early as last year, targeting Symbian and Blackberry phones. It's the sort of thing you can imagine Android having a problem with in the future, but Iphone users won't be affected as IOS doesn't allow you to download uncontrolled apps without jailbreaking.

For a user to get caught in this kind of attack, they will have to first be fooled by the fake website and then silly enough to download an unauthorised app. But that's not very different from how desktop users often get fooled, and criminals seem to be doing pretty well with that. µ