Android/Citmo.A!tr.spy

description-logoAnalysis

Android/Citmo.A!tr.spy is a Trojan for Android devices. It is the mobile part of the famous Windows Carberp (W32/Carberp) trojan, which is known to focus on stealing confidential data from trade and online banking platforms.
This mobile part is designed to steal particular SMS messages on the phone that carry mTAN (mobile Transaction Authentication Numbers) which are used to complete online transactions. With confidential data stolen from a compromised Windows host and stolen mTANs on the phone, the attacker is able to complete an online transaction on the victim's bank account.
The technique of stealing the mTAN on the mobile device is also known as 'Man in the Mobile'. It is also used by other mobile malware such as Zitmo and Spitmo.
Android/Citmo.A!tr has been found in the wild, posing as security applications or add-ons for mobile banking. The samples have been removed from Google Play.

Figure 1: Android/Citmo.A!tr installed on an Android emulator

The malware comes packaged as com.sbersafe.apk ("safe reception of SMS from Sberbank"), com.alfasafe.apk (Sberbank) and com.vksafe.apk ("block spam in your Vkontakte account").
Once launched, the malware initiates an authentication/verification process whose goal is for malware authors to identify the victim:
step 1: SMS authentication process.
The victim is asked to enter a phone number to be used for 'verification' purposes (see Figure 2). The malware silently sends a SMS to that number with body: $*_NUMBER_CHECK_*$.

Figure 2. Malware asks victim's phone number for 'verification' purposes.
After a while, if everything works fine, the victim's phone should receive a response, and the originating phone number is stored on the device in a file name auth.txt. This phone number is referred to in the code as 'auPhone', i.e the authorization phone number.

Figure 3. Pending authentification number verification
The malware listens for that incoming SMS, intercepts it, and displays the authorization phone number (see Figure 4).

Figure 4. Malware displays the authorization phone number. In this particular case, the device is an Android emulator, and the authorization phone number is fake and assumed to be 1234.
step 2. register with remote server.
The malware then posts an HTTP message to a remote server where it provides the authorization phone number, the victim's IMEI and various other parameters:
hxxp://berstaska.com/m/as225kerto
with the following parameter:
The victim is required to provide a "security code" (sCode below) which basically helps identify him.

Figure 5. The security code is a decoy. It is just a way to identify the victim

>1|authNumber|sCode|android|DeviceId=IMEI;SimCountryIso=ISO;
SimOperatorName=NAME;MODEL=Build.MODEL;BRAND=Build.BRAND;
USER=Build.USER;VERSION_RELEASE=Build.Version.RELEASE;
VERSION_SDK=Build.Version.SDK
step 3. active phase.
During that phase, the malware actively steals/filters SMS messages. SMS messages that come from phone numbers listed in file hide.txt are hidden to the victim, those listed in file view.txt are displayed.
Regularly, the malware communicates with the remote server and posts information via HTTP:
>2|sPhoneNumber|error<
The remote server answers with settings such as communication interval, phone numbers to hide (filter_hide), phone numbers to view (filter_view) or URLs of remote servers (gates).
The malware also posts the contents of SMS received by the victim's phone:
>3|sPhoneNumber|filter_hide/filter_view|timestamp|body<

So, basically, a remote server spies all incoming SMS messages of the victim's phone.
The malware uses several files on the device, stored in the application's directory:
  • alarms.txt: a log file
  • auth.txt: the authorization phone number
  • authcode.txt: the authorization code for the remote server
  • errorslist.txt: error log file
  • gates.txt: URLs of remote servers
  • hide.txt: phone numbers of SMS to hide to the victim
  • view.txt: phone numbers of SMS to display on the victim's phone
  • interval.txt: request interval
  • maingate.txt: main remote server to contact
  • messagesOld.txt: SMS messages received on the phone
This is the example of the contents of a messagesOld.txt file:
Y       1234    1355848884000   1355848893639   null    "OK12329"       N      N
Y       1234    1355848813000   1355848822446   null    "OK 5678"       N      N
Y       1234    1355848661000   1355848670596   null    5678    N       N
Y       1234    1355848607000   1355848615709   null    OK      N       N
N       1234    1355848262000   1355848271278   null    $*_NUMBER_CHECK_*$     NN

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR

Version Updates

Date Version Detail
2021-02-03 83.76900
2020-05-27 77.73400
2020-02-26 75.55100
2020-02-04 75.03200
2020-01-22 74.71200
2019-05-27 68.82900
2019-04-12 67.75300
2019-02-22 66.58200
2019-01-21 65.79600
2018-12-12 64.85300