InsomniHack'12
Nowadays, many banks try to secure their online transactions by sending an additional one-time password by SMS (mTAN) to the end-user. Unfortunately, in September 2010, the infamous ZeuS gang has written a new version, named Zitmo, which defeats this method. Mainly, Zitmo consists in infecting the end-user's mobile phone with a trojan that intercepts SMS on the phone. The whole operation is difficult to spot even to security-aware specialists.
This presentation explains how the attacks works, from one end to the other. We focus in particular on the mobile phone trojan's routines that intercept, process, send or release SMS messages. The analysis is conducted side by side with ARM assembly code. We show how to reroute stolen SMS messages to a test phone or how to display hidden windows of the trojan.
In 2009, a new Symbian malware named SymbOS/Yxes was detected and quickly hit the headlines as one of the first malware for Symbian OS 9 and above all as the foretaste of a mobile botnet. Yet, the detailed analysis of the malware was still missing. This paper addresses this issue and details how the malware silently connects to the Internet, installs new malware or spreads to other victims. Each of these points is illustrated with commented assembly code taken from the malware or re-generated Symbian API calls. Besides those implementation aspects, the paper also provides a global overview of Yxes's behaviour. It explains how malicious remote servers participate in the configuration and propagation of the malware, including Yxes's similarities with a botnet. It also tries to shed light on some incomplete or misleading statements in prior press articles. Those statements are corrected, based on the reverse engineering evidence previously. Finally, the paper concludes on Yxes's importance and the lack of security on mobile phones. It also indicates several aspects future work should focus on such as communication decryption, tools to analyze embedded malware or cybercriminals motivations.
