Android/Citmo.A!tr.spy
Analysis
Android/Citmo.A!tr.spy is a Trojan for Android devices. It is the mobile part of the famous Windows Carberp (W32/Carberp) trojan, which is known to focus on stealing confidential data from trade and online banking platforms.
This mobile part is designed to steal particular SMS messages on the phone that carry mTAN (mobile Transaction Authentication Numbers) which are used to complete online transactions. With confidential data stolen from a compromised Windows host and stolen mTANs on the phone, the attacker is able to complete an online transaction on the victim's bank account.
The technique of stealing the mTAN on the mobile device is also known as 'Man in the Mobile'. It is also used by other mobile malware such as Zitmo and Spitmo.
Android/Citmo.A!tr has been found in the wild, posing as security applications or add-ons for mobile banking. The samples have been removed from Google Play.
Figure 1: Android/Citmo.A!tr installed on an Android emulator
The malware comes packaged as com.sbersafe.apk ("safe reception of SMS from Sberbank"), com.alfasafe.apk (Sberbank) and com.vksafe.apk ("block spam in your Vkontakte account").
Once launched, the malware initiates an authentication/verification process whose goal is for malware authors to identify the victim:
step 1: SMS authentication process.
The victim is asked to enter a phone number to be used for 'verification' purposes (see Figure 2). The malware silently sends a SMS to that number with body: $*_NUMBER_CHECK_*$.
Figure 2. Malware asks victim's phone number for 'verification' purposes.
After a while, if everything works fine, the victim's phone should receive a response, and the originating phone number is stored on the device in a file name auth.txt. This phone number is referred to in the code as 'auPhone', i.e the authorization phone number.
Figure 3. Pending authentification number verification
The malware listens for that incoming SMS, intercepts it, and displays the authorization phone number (see Figure 4).
Figure 4. Malware displays the authorization phone number. In this particular case, the device is an Android emulator, and the authorization phone number is fake and assumed to be 1234.
step 2. register with remote server.
The malware then posts an HTTP message to a remote server where it provides the authorization phone number, the victim's IMEI and various other parameters:
hxxp://berstaska.com/m/as225kerto
with the following parameter:
The victim is required to provide a "security code" (sCode below) which basically helps identify him.
Figure 5. The security code is a decoy. It is just a way to identify the victim
>1|authNumber|sCode|android|DeviceId=IMEI;SimCountryIso=ISO; SimOperatorName=NAME;MODEL=Build.MODEL;BRAND=Build.BRAND; USER=Build.USER;VERSION_RELEASE=Build.Version.RELEASE; VERSION_SDK=Build.Version.SDKstep 3. active phase.
During that phase, the malware actively steals/filters SMS messages. SMS messages that come from phone numbers listed in file hide.txt are hidden to the victim, those listed in file view.txt are displayed.
Regularly, the malware communicates with the remote server and posts information via HTTP:
>2|sPhoneNumber|error<The remote server answers with settings such as communication interval, phone numbers to hide (filter_hide), phone numbers to view (filter_view) or URLs of remote servers (gates).
The malware also posts the contents of SMS received by the victim's phone:
>3|sPhoneNumber|filter_hide/filter_view|timestamp|body<
So, basically, a remote server spies all incoming SMS messages of the victim's phone.
The malware uses several files on the device, stored in the application's directory:
- alarms.txt: a log file
- auth.txt: the authorization phone number
- authcode.txt: the authorization code for the remote server
- errorslist.txt: error log file
- gates.txt: URLs of remote servers
- hide.txt: phone numbers of SMS to hide to the victim
- view.txt: phone numbers of SMS to display on the victim's phone
- interval.txt: request interval
- maingate.txt: main remote server to contact
- messagesOld.txt: SMS messages received on the phone
Y 1234 1355848884000 1355848893639 null "OK12329" N N Y 1234 1355848813000 1355848822446 null "OK 5678" N N Y 1234 1355848661000 1355848670596 null 5678 N N Y 1234 1355848607000 1355848615709 null OK N N N 1234 1355848262000 1355848271278 null $*_NUMBER_CHECK_*$ NN
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |