Tuesday, 7 May 2013

Warning: ZertSecurity Android trojan hits German users

ZertSecurity is a banking trojan which masquerades as a certificate security application that asks the user to input their bank account number and PIN.
ZertSecurity was found in the Google Play store, although less than 100 copies had been downloaded in the 30 or so days that it was live. It has since been removed by Google.
All Lookout users are protected against this threat.
Lookout’s Take
In contrast to most other banking trojans, ZerSecurity is standalone with no corresponding desktop component as has normally been seen in banking threats like Zitmo/Citmo. This is because in this case, the attackers are able to collect everything they need with one simple form.
Since Postbank requires Account number and PIN for web access, by phishing for these details and then controlling all SMS sent to the user’s mobile, the people behind this attack are able to:
  • Access the web account
  • Review or make transactions
  • Intercept any two factor authentication messages sent over SMS.
In particular this means they would be able to authenticate transactions that they create, by hijacking the mTAN SMS.
How it works
Links to ZertSecurity’s installation website were pushed out as part of a phishing campaign that targeted users in Germany. All emails seen so far have masqueraded as emails from Postbank and contain messages along these lines:
  1. Following an account audit it has been identified that your information is out of date, and your account access has been limited. You need to click on the attached link in order to update your account and restore access.
  2. After a certain date, It will only be possible to use the Postbank mobile TAN service if you install the SSL certificate from this application. Use the attached link to install the SSL certificate on your smartphone right now now.
If the link is followed from anything other than an Android device, the installation website displays “Certificate was successfully installed”, and nothing further happens.
Following the link using an Android device takes the user to a website which invites them to install the fake security certificate application, and provides instructions to guide users through the installation process.

No comments:

Post a Comment