According to msnbc.com, a new variant of the notorious bank account-stealing Zeus Trojan known as ZitMo, or "Zeus-in-the-Mobile," has been discovered on Android smartphones. The malware is disguised as a legitimate banking security application from Trusteer called Rapport, reports SC Magazine. In a blog post, senior Fortinet analyst Axelle Apvrille says:
In the background, it listens to all incoming SMS messages and forwards them to a remote web server. It's simple, but just enough for the ZeuS gang to grab your banking mTANs [mobile transaction authentication numbers] ...
InformationWeek explains the problem:
That's a security risk, as some banks now send mTANs ... via SMS. By intercepting these passwords, the Zeus-botnet-using criminal gang behind Zitmo can not only create fraudulent money transfers, but verify them.
To help protect customers from malware attacks, the Federal Financial Institutions Examination Council (FFIEC) has issued new rules for online security for financial institutions, which include the recommendation that banks use multi-factor authentication.
The discovery of ZitMo is the latest blow to the Android landscape, which has been plagued by Android-specific malware like the recent discovery of a new version of the "DroidDream Light" malware, as well as a new Android threat dubbed "HippoSMS."