For a long time, only two families of such malware have been known: ZeuS-in-the-Mobile (ZitMo) and SpyEye-in-the-Mobile (SpitMo). ZitMo and SpitMo work together with their Windows ‘brothers’. Actually, without them, they would look like trivial SMS spy Trojans. It is necessary to mention that during the last two years such attacks have been observed only in some European countries like Spain, Italy, Germany, Poland and few others.
In order to gain access to online banking accounts, the attackers need to get a hold not only of the victim’s username and password, but also of the mobile Transaction Authentication Number (mTAN) that’s used for two-factor authentication.
But when the mobile version of Carberp Trojan appeared ,such attacks became real in Russia as well. There is no secret that online banking is becoming more and more popular in Russia; and banks are very active in promoting online banking with various authorization methods.
Carberp for Windows works in a similar way to the ZeuS Trojan. If a user tries to login into his online banking account using a machine infected by Carberp, the malware will modify the transaction so that user credentials are sent to a malicious server rather than a bank server.
In addition to the login and password, cybercriminals still need mTANs in order to confirm any money transfer operation from a stolen account. That is why one of the Carberp modifications (we call it Trojan-Spy.Win32.Carberp.ugu and we've added detection for it on 11th of December) alters the online banking web page on the fly, inviting the user to download and install an application which is allegedly necessary for logging into the system. And the user can get this link via SMS message by entering his phone number or by scanning a QR-code .
The CitMo Android Trojan works in almost the same way as ZitMo. It is able to hide particular SMS messages and resend them to the attacker's command server. Some versions of ZitMo resend SMS messages to particular cell phone numbers in addition to various web servers. Known versions of CitMo and the Windows module of Carberp (Trojan-Spy.Win32.Carberp.ugu) work only with the remote server ‘bersta***.com’.