Mobile Threat Monday: Android Banking Trojan Sidesteps Two-Factor Authentication

When we talk about Android malware, we're usually discussing apps that look to make money in small or subtle ways, usually by tricking you into viewing ads or sending premium SMS messages. This week, we look at full-blown banking Trojan that will siphon cash directly from your bank account if you're not careful.
This week's bad app is designed to sidestep two-factor authentication for online banking transactions. Like on Twitter or other sites with two-factor authentication, some banks will send short security codes called mTANs via text message to users' phones to confirm transactions. Normally, users would enter these into a website or app, but these banking Trojans get it first.
Zitmo.B
F-Secure Security Response Director Antti Tikkanen explained to SecurityWatch that this is a variant on the Zitmo malware, or "Zeus In The Mobile." It doesn't work on its own, but needs a victim who already has a Zeus Trojan on their windows PC. "When the user visits his online bank using the browser on the PC, the banking Trojan shows a message in the browser explaining that 'an additional security application' has to be installed on his phone to use the online bank," explained Tikkanen. "This application is the Zitmo trojan."
These apps trade under two names, usually ing.certificaat.apk or zertifikat.apk. According to F-Secure, these names indicate that the Trojans are aimed at Dutch and German users, as they translate to "certificate" in the respective languages. The apps may appear as "com.certsysdata.core" or "com.androidcore.providers.system10" in your Running Apps menu.

The Zitmo.B Trojan runs in the background in conjunction with the Zeus Trojan on the victim's computer. Using the victim's bank login information nabbed by Zeus on the PC, the attacker can initiate a transfer of funds. Zitmo.B then intercepts the mTAN sent via SMS message from the bank to confrim the transfer. Zitmo.B forwards the confirmation code to the attacker's webserver, and suppresses the message from ever appearing on the victim's phone. The attacker is now free to raid the victim's bank account.
This is particularly scary because once Zitmo.B is on the victim's Android, the rest of the attack is automatic. "So the user does not have to do anything," said Tikkanen.
Staying Safe
These Trojans require victims to willingly install them, which involves allowing third-party apps on their phone. This option is buried in the settings menu, and is turned off by default. People who make use of legitimate third party marketplaces, like Amazon's App Market for instance, may have enabled this feature.
Generally, we advise that Android users keep this turned off unless absolutely necessary. Installing Android security software, like our Editors' Choice award winners Bitdefender Mobile Security and Antivirus or avast! Mobile Security & Antivirus, can also guard against Trojanized apps.