This application requires Javascript for optimal performance.

Android/Zitmo.D!tr.spy - Released Jul 15, 2011 - Last Updated Jul 18, 2011

Alias/es

Andr/SMSRep-C (Sophos)

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • Abnormally high bill due to connecting to Internet
  • The (fake) Kaspersky Anti-Virus application does not seem to work properly

Detailed Analysis

Android/Zitmo.D!tr.spy is a variant of Android/Zitmo.C!tr.spy. Like version C, it installs on Android mobile phones and is assumed to try to steal confidential banking authentication codes sent to mobile phones.
This particular variant poses as a fake Kaspersky Anti-Virus application, and, when launched, the malware computes and displays a fake activation code for the alleged anti-virus. In reality, the malware listens to incoming SMS or outgoing calls, logs the corresponding information and sends it to a given URL.

Figure 1. Phone infected with Android/Zitmo.D!tr.spy. Fake activation code info.



Technical Details


When the infected phone calls a distant phone number, the following information is sent by HTTP: 
http://[REMOVED]/?to=DISTANT PHONE NUMBER&i=IMSI&m=IMEI
where:
  • to: contains the phone number the phone is calling
  • i: contains the IMSI of the victim's SIM card
  • m: contains the IMEI of the victim's phone
If it is the first time the malware is run, an additional parameter is sent: 
&f=1
Where f refers to a "first run" boolean, set to true (1) for the first time the malware is run.
After the initial run, a shared preferences file is kept on the device with a boolean entry named "frun". The entry is set to 1 for a first run, and switched to 0 once the malware has been run once.

When the phone receives an incoming SMS, the contents of this SMS is logged and sent by HTTP: 
http://[REMOVED]/&from=PHONE NUMBER&text=BODY
where
  • from: contains the originating phone number of the incoming SMS
  • text: contains the body of the incoming SMS

Recommended Action

    FortiGate Systems

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

    FortiClient Systems

  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Reference: ID - 2888413