'Premium Security' for Android is actually the Zeus super Trojan
Just-another-fake-Android-security scam carries unusually dangerous payload
Fake security software for Android has taken another step forward in sophistication.
An app file called "Android Security Suite Premium" is malware masquerading as security software, but not just any malware, according to Dennis Fisher of Kaspersky Labs' ThreatPost blog.
The fake app is a camouflaged version of the Zeus Trojan, an alarmingly effective data-theft app designed to seek out and swipe bank login in formation and other financial data, Fisher wrote. Among Zeus' other notable variations is one that operates without the normally required command and control servers, one tuned to collect banking information from cloud-based services and one called SpyEye that uses webcams and audio to spy on victims.
The Android Security Suite Premium showed up in Kaspersky Labs' malware traps, but Kaspersky researchers had trouble confirming where it came from or who was running it.
The code was obviously designed to copy incoming text messages to one of six command-and-control servers that contained almost no data useful to security trackers, Kaspersky researchers found.
The servers were registered in Russia using fake data, which could have been the end of the trail.
Though fake, much of the data repeats data used in Zeus attacks on mobile devices during 2011. The mobile version goes by the name Zeus or ZitMo, for Zeus in the Mobile, Fisher wrote.
Although designed to steal information already stored on an infected machine, or incoming via SMS or email in some versions, the Premium Security Apps could also receive commands from their C-n-C servers to steal system or user data stored on the phone as well as text messages, uninstall or shut themselves off to avoid detection according to Denis Maslennikov, the Kaspersky researcher who analyzed the payload.
The packaging and particular variation of this Zeus incarnation may be new, but are clearly part of a continuing, larger effort to use the Trojan to steal both data and, ultimately cash from users' ban accounts as well.
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.