Nowadays, many banks try to secure their online transactions by sending an additional one-time password by SMS (mTAN) to the end-user. Unfortunately, in September 2010, the infamous ZeuS gang has written a new version, named Zitmo, which defeats this method. Mainly, Zitmo consists in infecting the end-user's mobile phone with a trojan that intercepts SMS on the phone. The whole operation is difficult to spot even to security-aware specialists.
This presentation explains how the attacks works, from one end to the other. We focus in particular on the mobile phone trojan's routines that intercept, process, send or release SMS messages. The analysis is conducted side by side with ARM assembly code. We show how to reroute stolen SMS messages to a test phone or how to display hidden windows of the trojan.
Axelle Apvrille is a senior mobile anti-virus researcher at Fortinet. She hunts down malware for mobile phones. Last year, her research on Symbian mobile phone malware was awarded "Best Paper" at EICAR 2010. Before that, she worked in cryptology and security protocols, and published in several magazines (IEEE Security & Privacy, Linux magazine) and conferences (USENIX LISA).
Xu (Kyle) Yang (CCIE#19065), has worked as a malware researcher/software engineer for Fortinet 6+ years. He is currently focused on the Malware Custom Packer Researching and Botnet Researching. During his leisure time, he maintains a personal blog about reverse engineering: http://re-malware.com