Report an incident
Report an incident

ZITMO: The new mobile threat
23 January 2011 | CERT Polska | #malware


ZeuS is a “popular” spyware, a short analysis of which we had provided earlier. ZITMO, or “Zeus In The MObile”, is a new threat that has been affecting customers of Polish banks for the past few weeks. This is a new variation of Zeus, targeting smartphones as well as PCs. Infecting a mobile device opens new possibilities to malware authors, allowing them to retrieve information from SMS messages such as mobile Transaction Authentication Numbers (mTANs) or SMS notifications from a bank.

How do mobile phones get infected?

  1. The attacker infects a PC with malware by using a trojan, drive-by-download or any other technique.


  1. The malware modifies contents of a legitimate bank website on the victim’s computer. A new dialog asking for phone model and number is injected during login process.


  2. Once having this information, the attacker automatically sends an SMS with a link to malicious software dedicated for the victim’s smartphone.


  3. The unaware user follows the link, ultimately getting the malware installed on his/her smartphone


  4. The infected smartphone sends an SMS back to the attacker to report a succesfull installation. From this moment the attacker can fully control both the PC and the smartphone of the victim


Who can be a victim of ZITMO?

The following link contains a complete list of smartphones currently targeted by ZITMO. It includes phones running BlackBerry, Symbian or Windows Mobile operating systems. The message sent to a user during infection phase claims to contain a link to a “digital ceritifcate” which ends with “cert.jad”, “cert.sis” or “”, depending on the platform.




How to avoid getting infected (and losing money)?

Be alert when logging in to your bank’s web interface. Watch out for unexpected dialogs and requests for information that the bank never requested before (such as PIN numbers, mobile phone model, unnecessary TAN numbers etc.). When not sure, contact your bank immediately.

Preliminary analysis of the attack

When successfully installed on a smartphone, the application sens an SMS “App Installed OK” to a predefined phone number. All the malware we have seen contacts the same numbers starting with +4477. It is different from the number used in the September attacks in Spain just by few digits. It should be noted that both the PC-infecting malware and its configuration files carry a number version 3.1, which may indicate that a new version of Zeus has appeared. CERT Polska is investigating both the PC and the smartphone version of Zeus.




Scale of the threat

CERT Polska is in contact with mobile operators and banks to facilitate monitoring and reacting to the new threat. An estimate number of infected smartphones in Poland does not exceed 100.