The SpyEye malicious toolkit, which has made botnets out of computers running Microsoft’s Windows operating system, now threatens devices running Google’s Android as well.
Computer security firm Sophos said SpyEye, designed to steal banking credentials and confidential data, appeared to make the Android version some months after “competitor” Zeus did so.
“When the user of a PC infected by the Windows version of SpyEye visits a targeted banking website, and when the site is using mobile transaction authorization numbers, the SpyEye Trojan may inject HTML content which will instruct the user to download and install the Android program to be used for transaction authorization,” Sophos said in a blog post.
SpyEye will not include an icon which would be displayed in the “All apps” menu- a user will only find the package when “Manage Applications” is launched from the mobile device’s settings.
Also, the application uses the display name “System” so that it seems like a standard Android system application.
The SpyEye for Android will be detected by Sophos products as Andr/Spitmo-A.
“It also seems that support for Android is increasingly becoming an important part of their product strategy,” Sophos said.
Avoiding detection
Sophos said the malware will use different tactics to reinforce user’s opinion that it is a legitimate application.
It applies for the following permissions Android permission:
action name=“android.provider.Telephony.SMS_RECEIVED” /
action name=“android.intent.action.NEW_OUTGOING_CALL” /
This allows the malware to intercept outgoing phone calls.
When a number is dialed, the call is intercepted before the connection is made and the dialed phone number is matched to a special number specified by the attacker in the alleged helper application installation instructions.
If the number matches, Spitmo displays a fake activation number, which is always 251340.
Sophos also said a broadcast receiver intercepts all received SMS text messages and sends them to a command and control server using an HTTP POST request.
The submitted information includes the sender’s number and the full content of the message. — TJD, GMA News
Article source: http://ph.news.yahoo.com/spyeye-malware-tookit-hits-android-devices-111009065.html
View full post on National Cyber Security » Virus/Malware/Worms