Back in March of 2011, we reported that the ZeuS trojan had made its way onto the BlackBerry platform in the way of its mobile version: Zitmo. The Zitmo virus has been more prominent with infiltrating Android devices, but it seemingly has sprung up once again to BlackBerry users in Europe.

Zitmo variants have masqueraded as banking security applications or security add-ons. In the case of the new version targeting BlackBerrys, the app shows up on an infected phone as “Zertifikat”. When the victim runs the app, it displays a message in German telling the users that the installation was successful and showing an activation code for the app.

Zeus, is designed mainly to steal online banking credentials from users. The original versions of Zitmo did this by monitoring incoming SMS messages and picking off the ones that come from a bank and then sending those off to the command-and-control device controlled by the attacker.

That attack is designed to circumvent the out-of-band authentication systems used by some banks, particularly in Europe, that involve the bank sending the user a one-time password via SMS. The more recent variants of Zitmo aren’t that picky. They just gobble up all of the incoming SMS messages and push them out to the C&C, according to an analysis of the new Zitmo variants by Denis Maslennikov, a researcher at Kaspersky Lab.

“As you may know, the Blackberry platform has never been actively targeted by malware. And here we have 4 different samples of ZeuS-in-the-Mobile for Blackberry at once: 3 .cod files and 1 .jar file (with one more .cod inside). Yes, finally we’ve got a ZitMo dropper file for Blackberry,” Maslennikov said. “The analysis of new Blackberry ZitMo files showed that there are no major changes. Virus writers finally fixed grammar mistake in the ‘App Instaled OK’ phrase, which is sent via SMS to C&C cell phone number when smartphone has been infected. Instead of ‘BLOCK ON’ or ‘BLOCK OFF’ commands (blocking or unblocking all incoming and outgoing calls) now there are ‘BLOCK’ and ‘UNBLOCK’ commands. Other commands which are received via SMS remain the same.”

RIM is aware of the malware threats said Adrian Stone, Director of Security Response for BlackBerry. “When you look at our customer base, it’s not only enormous, but it’s also high-value. You start at the White House and work your way down. We start with the code and work our way up from there. The end-to-end security premise of BlackBerry is real. We always have to be vigilant. We look at things from everywhere,” Stone said.


Nevertheless, always be sure what you’re downloading, even from within BlackBerry App World. We’d hate to hear of any user become a victim of the Zitmo virus.

via ThreatPost