{
	"id": "3be21324-d12b-4c26-9820-d98b1522e1eb",
	"created_at": "2026-04-06T01:32:03.124802Z",
	"updated_at": "2026-04-10T03:22:13.213674Z",
	"deleted_at": null,
	"sha1_hash": "b70749f7c873ec5d69e674b4e2eabaf14ec31722",
	"title": "ZeuS-in-the-Mobile - Facts and Theories",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 288994,
	"plain_text": "ZeuS-in-the-Mobile - Facts and Theories\r\nBy Denis Maslennikov\r\nPublished: 2011-10-06 · Archived: 2026-04-06 00:38:46 UTC\r\nIntroduction\r\nOnline banking is now a run-of-the-mill affair for most. More and more banks are trying to maximize the range of\r\nservices available to clients online. With the added convenience and speed, it might seem as though there is no\r\ndownside to online banking. However, where there is money — in any form — there are usually scammers.\r\nIt’s hard to pinpoint exactly when the first attacks against online banking customers were launched — and in this\r\ncase, it’s not all that important. We have encountered two types of attacks: attacks that use classic phishing\r\nmethods, and attacks that employ a variety of malicious programs. Initially, these attacks were meant to identify\r\nonline banking system users — i.e. to harvest usernames and passwords. As banks improved their security\r\nmechanisms, cyber criminals responded by improving malicious programs and learned how to bypass most of the\r\ntransaction confirmation processes used in online banking systems.\r\nThese days, the most popular security features of online banking services are TAN codes (Transaction\r\nAuthentication Number) with digital signatures. In some cases, banks send TAN codes via a text message (these\r\nare called mTANs, or mobile transaction authentication numbers). Prior to September 2010, there were no\r\nrecorded instances of attacks using mTAN codes. In 2009, rumors went around that hackers were buying up Nokia\r\n1100s in bulk for tens of thousands of dollars — not just any 1100s, but specifically ones that were manufactured\r\nat a factory in Bochum, Germany. Allegedly, these particular handsets had special features (or vulnerabilities?)\r\nthat made it possible to intercept all text messages, including those containing mTAN codes. However, no such\r\ncases were ever confirmed.\r\nWhen the ZeuS Trojan for mobile platforms (aka ZeuS-in-the-Mobile, or ZitMo) came out in late September\r\n2010, it became the first malicious program designed to steal mTAN codes. This article will discuss ZitMo in\r\ndetail.\r\nZitMo’s plan of attack\r\nMobile ZeuS, or Trojan-Spy.*.Zitmo, was designed for one sole purpose: to quickly steal mTAN codes without\r\nmobile users noticing. The first important thing to point out is that ZitMo works in close collaboration with the\r\nregular ZeuS Trojan. By the regular ZeuS we will mean a modification of the Trojan that targets the Win32\r\nplatform and which is classified as Trojan-Spy.Win32.Zbot by Kaspersky Lab.\r\nReaders may recall that ZeuS for PCs running on Windows has been around for some time now. Its first\r\nmodifications appeared back in 2007. Check out Dmitri Tarakanov’s article for more about ZeuS.\r\nWhat happens when a user whose computer is infected with ZeuS gets ready to log in to an online banking\r\nsystem? The user attempts to navigate to his bank’s webpage and log into the system. The PC version of ZeuS\r\nhttps://securelist.com/zeus-in-the-mobile-facts-and-theories/36424/\r\nPage 1 of 11\n\nregisters that the victim is going to an address of interest, and modifies this webpage in the browser so that the\r\npersonal data entered by the user for authentication is not sent to the bank, but to the ZeuS botnet command\r\ncenter.\r\nHow ZeuS works\r\nSometime in September 2010, malicious users added a new function to the PC-based ZeuS. The way it worked\r\nremained more or less the same, only now a modified authentication page would also ask the user to enter data\r\nabout their mobile device (the make, model, and telephone number) in addition to their username and password.\r\nUsers were told that the data was requested for the alleged purpose of certificate updates.\r\nA portion of an online banking authentication page which has been modified by malicious users. This\r\npage asks users to enter information about their telephone model and number.\r\n(Source: http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-ii.html)\r\nSooner or later, users who provided information to malicious users about their cell phones would receive a text\r\nmessages asking them to install a new security certificate. This “security certificate” could be downloaded via a\r\nlink that was provided in the text message. However, this “certificate” was in fact the mobile version of the ZeuS\r\nTrojan. If the user followed the link, downloaded and installed the application, then his mobile phone would be\r\ninfected by ZitMo, the primary function of which is to send a text message to a malicious user’s phone as\r\nspecified in the body of the Trojan.\r\nZitMo is still spread in the same way: users download it to their mobile devices under the assumption that it is\r\nlegitimate software.\r\nThe malicious users who successfully used the PC-based ZeuS to steal personal user data for online banking\r\nsystems and infect victims’ phones with ZitMo were thus able to overcome the last barrier of online banking\r\nsecurity systems: the mTAN code. By entering a user’s login and password, they were able to access their bank\r\naccounts and conduct transactions (such as transferring money from the user’s account to their own bank\r\nhttps://securelist.com/zeus-in-the-mobile-facts-and-theories/36424/\r\nPage 2 of 11\n\naccounts). These transactions required additional authentication using a code sent by the bank via text message to\r\nthe client’s phone. After the client submitted a transaction request, the bank would send the client an\r\nauthentication code. The code would be sent to the ZitMo-infected handset, which immediately forwarded it to the\r\nmalicious user’s number, who would then use the stolen mTAN to authenticate the transaction. And the victim\r\nwould be none the wiser.\r\nThe attacks are generally orchestrated as follows:\r\n1. 1 Cyber criminals use the PC-based ZeuS to steal the data needed to access online banking accounts and\r\nclient cell phone numbers.\r\n2. 2 The victim’s mobile phone (see point 1) receives a text message with a request to install an updated\r\nsecurity certificate, or some other necessary software. However, the link in the text message will actually\r\nlead to the mobile version of ZeuS.\r\n3. 3 If the victim installs this software and infects the phone, the malicious user can then use the stolen\r\npersonal data and attempt to make cash transactions from the compromised account, but still needs an\r\nmTAN code to authenticate the transaction.\r\n4. 4 The bank sends out a text message with the mTAN code to the client’s mobile phone.\r\n5. 5 ZitMo forwards the text message with the mTAN code to the malicious user’s phone.\r\n6. 6 The malicious user is then able to use the mTAN code to authenticate the transaction.\r\nKnown attacks\r\nZitMo’s was first detected on September 25, 2010. At that time, the Spanish-based data security company S21sec\r\nhad written about this threat (see: http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.html).\r\nHowever, it was not clear which banks were targeted. All of the data available leads us to believe that the victims\r\nwere clients of one Spanish bank.\r\nAfter that article was published, antivirus companies began their own research. S21sec reported it had detected\r\nZitMo on two different mobile platforms: Symbian and BlackBerry. Examples of the malicious program for\r\nSymbian were quickly found, but for a long time the mobile version of ZeuS for BlackBerry existed only in theory\r\nand on paper as no one was able to get their hands on a sample.\r\nA Polish blogger wrote about the second ZitMo attack on 21 February 2011 (see:\r\nhttp://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/) and the names of the banks whose clients were being\r\ntargeted finally came to light: ING and mBank.\r\nhttps://securelist.com/zeus-in-the-mobile-facts-and-theories/36424/\r\nPage 3 of 11\n\nZeuS’s modification of ING’s online banking web page\r\n(Source: http://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/)\r\nThe list of targeted platforms also grew, and now included smartphones running on Windows Mobile.\r\nAt that point, only the ZitMo attacks described above had been detected. It remains unclear whether other attacks\r\nhad taken place. If so, then they will probably not be discussed in public.\r\nPlatforms\r\nAt the time of this article’s publication (October 2011), various modifications of ZitMo had been detected for the\r\nfollowing platforms: Symbian, Windows Mobile, BlackBerry and Android.\r\nAbove, we described the general sequence of events that occur during attacks and the main objective of the mobile\r\nversion of ZeuS, i.e. to obtain text messages with mTAN codes. The functions for ZitMo versions targeting\r\ndifferent platforms (save for Android) are identical, although it’s still important to take a closer look at the\r\nindividual versions for each mobile platform.\r\nFor starters, let us take a look at one crucial and interesting detail of all ZitMo versions, with the exception of\r\nAndroid. A Trojan running on a smartphone is controlled by commands that are received via text message. So\r\nessentially, ZitMo is a text-bot, the C\u0026C of which is another telephone, or to be more precise, a telephone number.\r\nBy July 2011, the following C\u0026C numbers had been identified:\r\n+44778148****\r\n+44778148****\r\nhttps://securelist.com/zeus-in-the-mobile-facts-and-theories/36424/\r\nPage 4 of 11\n\n+44778148****\r\n+44778620****\r\n+44778148****\r\nThese are all UK numbers. Is this indirect evidence that the authors of the malicious program were located in the\r\nUK during the attack? It’s possible.\r\nSymbian\r\nThe ZitMo version for Symbian was the first sample of this threat obtained by antivirus companies (in late\r\nSeptember 2010). Another point worth mentioning is that this malicious program was given a legitimate digital\r\nsignature (which has since been recalled).\r\nOne of ZitMo’s digital signatures\r\nSo how does ZitMo for Symbian operate?\r\nImmediately after a smartphone is infected, the Trojan sends the text message ‘App installed OK’ to the C\u0026C\r\nnumber, thus notifying the malicious users that the program has been installed and is ready to accept commands.\r\nZitMo then creates a database named NumbersDB.db with three tables: tbl_contact, tbl_phone, and tbl_history.\r\nAfter infection, ZitMo can receive text messages from the C\u0026C number with the following commands:\r\nADD SENDER\r\nREM SENDER\r\nSET SENDER\r\nSET ADMIN\r\nBLOCK ON or OFF\r\nON or OFF\r\nThe ADD SENDER command is one of the most critical for ZitMo, since it orders the forwarding of text\r\nmessages from specified telephone numbers (the numbers which banks use to send mTAN codes via text message)\r\nto the C\u0026C number. In other words, this command activates the forwarding of text messages with authentication\r\ncodes for transactions executed by malicious users.\r\nThe REM SENDER command ends the forwarding of text messages from the number specified in the command\r\nto the C\u0026C number.\r\nhttps://securelist.com/zeus-in-the-mobile-facts-and-theories/36424/\r\nPage 5 of 11\n\nThe SET SENDER command allows the malicious users to update the telephone number from which the text\r\nmessages are forwarded to the C\u0026C.\r\nThe SET ADMIN command lets malicious users change the C\u0026C number. This is the only command that can be\r\nsent to an infected mobile device from a telephone number other than the C\u0026C number, enabling malicious users\r\nto change the command center.\r\nThe BLOCK ON/BLOCK OFF commands allow malicious users to block or unblock all incoming and outgoing\r\ncalls.\r\nThe ON/OFF command allows the malicious users to switch ZitMo on and off.\r\nZitMo does not contain any “personal” commands and is designed with one goal in mind: to transfer text\r\nmessages with mTAN codes.\r\nThe second version of ZitMo, detected in a second identified attack, was slightly different from the first, but only\r\nnegligibly. First of all, what is clear is that the C\u0026C number was different. However, the country code (UK) in this\r\nnumber remained the same. Second, ZitMo began to scan both incoming and outgoing text messages, which is a\r\nbit strange, since the primary objective of the Trojan is to harvest mTAN codes. The third difference is that ‘App\r\ninstalled OK’ text messages were sent every time a SET ADMIN command was successfully received and\r\nexecuted. Previously these messages were only sent after a Trojan was installed.\r\nWindows Mobile\r\nZitMo for Windows Mobile was detected during the Trojan’s second known attack, which also involved the\r\nSymbian version. It comes as no surprise that the C\u0026C number for both the Windows Mobile and Symbian\r\nversions of the threat was the same.\r\nhttps://securelist.com/zeus-in-the-mobile-facts-and-theories/36424/\r\nPage 6 of 11\n\nA fragment of code from Trojan-Spy.WinCE.Zitmo.a\r\nA fragment of code from Trojan-Spy.SymbOS.Zitmo.b\r\nThere are no differences in the functions between the Windows Mobile and Symbian versions of ZitMo. The\r\nTrojan is capable of receiving and executing the same commands on both platforms.\r\nBlackBerry\r\nThe BlackBerry version of ZitMo turned out to be quite complex and a bit of a mystery. The threat was first\r\nidentified in the same blog which announced the first confirmed appearance of ZitMo. But after five months of\r\nresearch, antivirus companies could not detect any files associated with ZitMo for BlackBerry and some people\r\nbegan to speculate that there was, in fact, no active BlackBerry version of ZitMo. Kaspersky Lab finally detected\r\nthe file sertificate.cod shortly after the second ZitMo attack in late February 2011, which turned out to be the\r\nelusive ZueS-in-the-Mobile for BlackBerry.\r\nhttps://securelist.com/zeus-in-the-mobile-facts-and-theories/36424/\r\nPage 7 of 11\n\nA fragment of the sertificate.cod file\r\nA quick glance at the file shows that in terms of the commands for this ZitMo version, there are no major\r\ndifferences from the other versions. A more detailed analysis brought the following to light.\r\nThe main methods used by this Trojan are stored in the file OptionDB.java. Among the names of the methods, one\r\ncan find getAdminNumber, which is used, among other things, in the following Trojan installation confirmation\r\nprocess:\r\nA part of the Trojan’s installation confirmation process\r\nLogical methods can be found, such as isForwardSms, which determines whether or not a text message will be\r\nforwarded, and isBlockAllCalls determines whether or not telephone calls will be blocked.\r\nThe main processes required by this program’s operations can be found in the file SmsListener.java. These\r\ninclude, for example, a number verification process to identify the senders of incoming text messages that then\r\ndetermines which messages should be forwarded to the malicious users.\r\nAndroid\r\nZitMo for Android was detected last of all, in early July 2011. The sample that was found is very different from all\r\nprevious ZeuS-in-the-Mobile versions. The threat’s functions are so primitive that it might seem as though the\r\nAPK file is entirely unconnected to ZitMol. However, research confirmed that it really is ZeuS-in-the-Mobile for\r\nAndroid.\r\nWe have written about how ZeuS operates. In brief, when a user attempts to visit his bank’s website and log in, he\r\nwill instead see a page that has been modified by ZeuS asking him to enter data which is then sent to a malicious\r\nuser’s server, not the bank.\r\nThe first attacks using ZitMo for Android began in the first two weeks of June. The tactics used to spread the\r\nthreat were the same. The following message was found in one of the configuration files of Trojan-Spy.Win32.Zbot:\r\nhttps://securelist.com/zeus-in-the-mobile-facts-and-theories/36424/\r\nPage 8 of 11\n\nZeuS’s “welcome message”\r\nOnce a user selects “Android” and clicks “Continue”, he is led to the following page, where he is “strongly\r\nrecommended” to download “a special software which will help to protect you from fraud”.\r\nhttps://securelist.com/zeus-in-the-mobile-facts-and-theories/36424/\r\nPage 9 of 11\n\nA recommendation to download a so-called anti-fraud utility\r\nIf a user selects an OS other than Android, then nothing will happen. The user will see the following message.\r\nThe message for non-Android users stating that no “additional protection” is required\r\nIn other words, this specific version of ZitMo targets the Android platform exclusively.\r\nAfter downloading and installing the allegedly legitimate software, the user will receive the malicious program on\r\nhis smartphone, the only purpose of which is to forward all incoming text messages (including those with mTAN\r\ncodes) to a remote server (http://******rifty.com/security.jsp) in the following format:\r\nf0={SMS_sender_number}\u0026b0={SMS_text}\u0026pid={infected_device_ID}\r\nThere are no other additional functions — not even any C\u0026C numbers or text message commands in ZitMo for\r\nAndroid! However, ZitMo for Android still definitely has a connection to the PC-based ZeuS.\r\nAlso of note: the malicious program has been on the Android Market for some time now. It was uploaded there on\r\n18 June, although the date it was removed is not clear. It was downloaded from Android Market less than 50\r\nhttps://securelist.com/zeus-in-the-mobile-facts-and-theories/36424/\r\nPage 10 of 11\n\ntimes.\r\nWhat next?\r\nThe ZitMo Trojan, which works in collaboration with the PC-based ZeuS Trojan, is perhaps one of the most\r\ncomplex recent mobile threats for the following reasons:\r\nIt is a Trojan with a very narrow specialization: forwarding incoming text messages with mTAN codes to\r\nmalicious users (or a server, in cases involving ZitMo for Android) so that the latter can execute financial\r\ntransactions using hacked bank accounts.\r\nThere are versions for multiple mobile platforms. ZitMo versions for Symbian, Windows Mobile,\r\nBlackBerry, and Android have been detected.\r\nIt works with ZeuS as a “team”. If you look at ZitMo separately, i.e. without any connection to the PC-based ZeuS, then it becomes mere spyware capable of forwarding text messages. However, if used in\r\ncombination with the classic PC-based ZeuS, then malicious users will be able to clear the final hurdle of\r\nonline banking authentication processes using stolen mTAN codes.\r\nIn the future, attacks involving ZitMo (or a malicious program with similar functions) that are designed to\r\nsomehow steal mTAN codes (or perhaps other confidential information that is sent via text message) will\r\ncontinue, although it is likely that they will become more specifically targeted against a smaller number of\r\nvictims.\r\nSource: https://securelist.com/zeus-in-the-mobile-facts-and-theories/36424/\r\nhttps://securelist.com/zeus-in-the-mobile-facts-and-theories/36424/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/zeus-in-the-mobile-facts-and-theories/36424/"
	],
	"report_names": [
		"36424"
	],
	"threat_actors": [],
	"ts_created_at": 1775439123,
	"ts_updated_at": 1775791333,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b70749f7c873ec5d69e674b4e2eabaf14ec31722.pdf",
		"text": "https://archive.orkl.eu/b70749f7c873ec5d69e674b4e2eabaf14ec31722.txt",
		"img": "https://archive.orkl.eu/b70749f7c873ec5d69e674b4e2eabaf14ec31722.jpg"
	}
}