{ "id": "e5bc4951-b2c0-4131-8ad0-e5aa59ff6ea5", "created_at": "2026-04-06T00:06:46.514833Z", "updated_at": "2026-04-10T03:21:31.116445Z", "deleted_at": null, "sha1_hash": "813646c1f31345c21a87a994a41ce7ac642b0a4c", "title": "ZeuS-in-the-Mobile for Android", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 185238, "plain_text": "ZeuS-in-the-Mobile for Android\r\nBy Denis Maslennikov\r\nPublished: 2011-07-12 · Archived: 2026-04-05 14:21:23 UTC\r\nThe first version of ZeuS-in-the-Mobile (ZitMo), malware which targets mTANs, was discovered in the end of\r\nSeptember 2010. In that case it was targeting Symbian smartphones. Later on, ZitMo versions for Windows\r\nMobile and Blackberry were found. It comes as no surprise that cybercriminals have created new and\r\nsophisticated pieces of mobile malware for Symbian and Windows Mobile; more surprising is that Blackberry\r\ndevices were also targeted; and even more surprising is that until July 2011 there was no evidence of ZitMo for\r\nAndroid’s existence. And now please ‘welcome’ ZeuS-in-the-Mobile for Android.\r\nThe first fact that must be mentioned is that ZitMo for Android differs from Symbian, Windows Mobile and\r\nBlackberry versions a lot. The functionality and logic of ZitMo for Symbian, Windows Mobile and Blackberry is\r\nthe same: C\u0026C cell phone number, SMS commands, and the ability to forward SMS messages from a particular\r\nnumber, as well as the ability to change C\u0026C.\r\nThe functionality and logic of ZitMo for Android is far more primitive. The APK file itself has a 19k size. It\r\npasses itself off as a security tool from the ‘Trusteer’ company. If a user installs the malicious application then the\r\nfollowing ‘Trusteer Rapport’ icon will appear in the main menu:\r\nhttps://securelist.com/zeus-in-the-mobile-for-android/29258/\r\nPage 1 of 6\n\nAnd that’s what going to be on the screen after clicking on the application’s link:\r\nhttps://securelist.com/zeus-in-the-mobile-for-android/29258/\r\nPage 2 of 6\n\nAs I said previously, ZitMo for Android is very primitive. Its functionality consists only of the ability to upload all\r\nincoming SMS messages (with mTANs also) to a remote web server http://******rifty.com/security.jsp in the\r\nfollowing format:\r\nf0={SMS_sender_number}\u0026b0={SMS_text}\u0026pid={infected_device_ID}\r\nThe first attacks with ZeuS-in-the-Mobile for Android started probably in early June. But how does ZitMo for\r\nAndroid actually infect devices? Nothing has changed in this area.\r\nWe found one of the Win32 ZeuS configuration files which contains following ‘suggestion’:\r\nhttps://securelist.com/zeus-in-the-mobile-for-android/29258/\r\nPage 3 of 6\n\nIf the user chooses ‘Android’ and clicks ‘Continue’ he will be redirected to the following page where he is asked\r\nto download the ‘security tool’:\r\nhttps://securelist.com/zeus-in-the-mobile-for-android/29258/\r\nPage 4 of 6\n\nIf the user chooses any other option (‘iOS (iPhone)’, ‘BlackBerry’, ‘Symbian (Nokia)’ or ‘Other’) they will get…\r\nnothing!\r\nIn other words this particular attack was targeting only Android devices.\r\nBut besides the site http://*************.com/tr.apk cybercriminals have also uploaded ZitMo for Android to the\r\nAndroid Market. The application has already been removed but, as it was in previous cases of malware in the\r\nAndroid Market, there are mirroring websites which save the information about all the programs approved by\r\nGoogle. In the case of ZitMo for Android, the application was uploaded with the ‘TrustMobile’ name probably on\r\nthe 18th of June.\r\nhttps://securelist.com/zeus-in-the-mobile-for-android/29258/\r\nPage 5 of 6\n\nSo, now we have ZitMo targeting 4 platforms: Symbian, Windows Mobile, Blackberry and Android. As we wrote\r\nin our previous blog about ZeuS-in-the-Mobile ‘cybercriminals are still very far away from stopping their\r\nactivities’.\r\nSource: https://securelist.com/zeus-in-the-mobile-for-android/29258/\r\nhttps://securelist.com/zeus-in-the-mobile-for-android/29258/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://securelist.com/zeus-in-the-mobile-for-android/29258/" ], "report_names": [ "29258" ], "threat_actors": [], "ts_created_at": 1775434006, "ts_updated_at": 1775791291, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/813646c1f31345c21a87a994a41ce7ac642b0a4c.pdf", "text": "https://archive.orkl.eu/813646c1f31345c21a87a994a41ce7ac642b0a4c.txt", "img": "https://archive.orkl.eu/813646c1f31345c21a87a994a41ce7ac642b0a4c.jpg" } }