Zitmo
Zitmo is an android bot which aim to stole user's bank authentication tokens. It is interest that Zitmo's feature to beat two factor authentication.
In order to prevent traditional banking trojan, online banking service employ transaction authentication numbers (TAN), which is a two factor authentication mechanism, to authorize user.
Zitmo is the mobile version of Zeus bot, which give Zeus a chance to defeat two-factor authentication.
In two factor authentication, online bank will first request user's mobile number. After user first authentication with tradition password mechanism, the message contains secondary password will send to user's mobile. Only user with this two password can successful authentication and complete transaction.
Following figure describe how Zitmo work:
First, Zeus will infect user's computer. Once user connects to online back after infection, the connection will be hijacked. All the user's input will be sent to bot server including the phone number used to authenticate. Then the bot server will send a forge message to user's mobile to install an app, which is indeed Zitmo bot. Once user install this app, all the message will be hijacked too. Hence the secondary password will sent to bot server, thus attacker has ability to do some bank transaction.
Take a briefly look into Zitmo.
In manifest, we can observe following sections.
Zitmo requests permission to reseive and send message.
Zitmo also register a receiver triggered once mobile boot/reboot.
We can observe Zitmo register a receiver to intercept message with high priority(MAX INTEGER), so it can hijack user's incoming messages.
The core part of Zitmo is in following figure. After massage coming, function onReceive() will called and snedSmsIfEnabled() will called to send Sms to attacker.
沒有留言:
張貼留言