SpyEye’s is known for Symbian OS malware development called SPITMO and lately they developed a new version to work and attack Android-based handsets.
Spitmo entered Android world in April as reported by F-Secure on their blog. Researchers with Trusteer discovered at the end of July a new strain of Spitmo malware.
How this trojan works: it injects fields into a bank’s webpage and asks the customer to input his mobile phone number along with the IMEI of the phone, informing the customer that the information is needed so a “certificate” can be sent to the device in up to three days time before the certificate gets issued.
“The trojan is signed with a developer certificate. Developer certificates are tied to certain IMEIs and can only be installed to phones that have an IMEI that is listed in the certificate. This is why the malware author(s) request the IMEI in addition to the phone number on the bank’s website. Once they receive new IMEIs, they request an updated certificate with IMEIs for all victims and create a new installer signed with the updated certificate,” said Ayelet Heyman “The delay in getting the new certificate explains why the SpyEye-injected message states it can take up to three days for the certificate to be delivered.”
For a full analysis of this malware and how it interacts with Android devices head over to Trusteer dot com.