Last week, we analysed the behaviour of the mobile module used by Spyeye to redirect the victim’s SMSs to the attacker. We have now observed that a panel is used to receive the data collected by the malware, where all received messages are recovered in a simple and clear manner.
The panel that we have located is written entirely in Russian, and has only one button, to refresh the displayed data. It is very simple and its purpose is only to display the data quickly. It is important to mention that on the same host where the panel was housed there was also a SpyEye panel. The two did not appear to be related to each other, but the malware used that same URL as a dropzone.
Below you can see a simulated request, showing the behaviour of the panel and the information it would display:
The process would be as follows, the attacker performs a transfer using the banking data stolen from the user infected with the Spitmo. The moment that the Bank performs a check to see that the transaction is valid it sends an SMS to the mobile phone of the infected user. This SMS is intercepted by malware and forwarded to the panel. Almost instantly, the attacker is in possession of a valid token to carry out the transaction.
The process can be carried out without raising suspicion as it is completely transparent to the user.
All this raises doubts about how safe we are using a device that is continually interacting with the internet and over which we do not have full control of what it is doing in every moment.
Juan Carlos Montes