PublicationsDefeating mTANs for profit
Nowadays, many banks try to secure their online transactions by sending an additional one-time password by SMS (mTAN) to the end-user. Unfortunately, in September 2010, the infamous ZeuS gang has written a new version, named Zitmo, which defeats this method. Mainly, Zitmo consists in infecting the end-user's mobile phone with a trojan that intercepts SMS on the phone. The whole operation is difficult to spot even to security-aware specialists. This presentation explains how the attacks works, from one end to the other. We focus in particular on the mobile phone trojan's routines that intercept, process, send or release SMS messages. The analysis is conducted side by side with ARM assembly code. We show how to reroute stolen SMS messages to a test phone or how to display hidden windows of the trojan.
Nowadays, many banks try to secure their online transactions by sending an additional one-time password by SMS (mTAN) to the end-user. Unfortunately, in September 2010, the infamous ZeuS gang has written a new version, named Zitmo, which defeats this method. Mainly, Zitmo consists in infecting the end-user's mobile phone with a trojan that intercepts SMS on the phone. The whole operation is difficult to spot even to security-aware specialists. This presentation explains how the attacks works, from one end to the other. We focus in particular on the mobile phone trojan's routines that intercept, process, send or release SMS messages. The analysis is conducted side by side with ARM assembly code. We show how to reroute stolen SMS messages to a test phone or how to display hidden windows of the trojan.