First SpyEye Attack on Android Mobile Platform now in the Wild…

It seems that SpyEye distributors are catching up with the mobile market as they (finally) target the Android mobile platform.

Ever since Man in the Mobile attacks (MitMo/ZitMo) first emerged in late 2010, SpyEye followed Zeus’ tracks by introducing its own hybrid desktop-mobile attacks (dubbed SPITMO).


The most recent achievement (that is, until our discovery at the end of July) of SpyEye, in the mobile arena, was reported in April on F-Secure’s blog:

The trojan injects fields into the bank’s webpage and asks the customer to input his mobile phone number and the IMEI of the phone. The bank customer is then told the information is needed so a “certificate” can be sent to the phone and is informed that it can take up to three days before the certificate is ready.

“The trojan is signed with a developer certificate. Developer certificates are tied to certain IMEIs and can only be installed to phones that have an IMEI that is listed in the certificate. This is why the malware author(s)    request the IMEI in addition to the phone number on the bank’s website. Once they receive new IMEIs, they request an updated certificate with IMEIs for all victims and create a new installer signed with the updated certificate.”

“The delay in getting the new certificate explains why the SpyEye-injected message states it can take up to three days for the certificate to be delivered.”

Up to three days to accomplish an attack in 2011? This is due to the following cumbersome cycle which is used to circumvent Symbian’s signing requirement:

  • Ask the user for their device’s IMEI
  • Generate an appropriate certificate
  • Release an updated installer


Waiting three days just to steal a couple of SMSs is not a reasonable overhead now that we have AndroidOS which provides a much more intuitive, and modern, approach to loot the desired treasure.


kissimmee, saint cloud, kissmmee, fl, saint cloud florida.  192, osceola county

Comments are closed