ANDROIDOS_ZITMO.HBTA
Android OS
Threat Type: Spyware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This spyware arrives as an attachment to email messages spammed by other malware/grayware or malicious users.
It uses a convincing Graphical User Interface to make the users think that the software is legitimate.
It steals certain information from the system and/or the user.
TECHNICAL DETAILS
Arrival Details
This spyware arrives as an attachment to email messages spammed by other malware/grayware or malicious users.
Information Theft
This spyware steals the following information:
- SMS
- Phone Number
- IMEI
Mobile Malware Routine
This spyware sends the gathered information via HTTP POST to the following URL(s):
- http://{BLOCKED}ne.com/ss/app.php
- http://{BLOCKED}x.com/ss/app.php
- http://{BLOCKED}art.mrbasic.com/sms/kt808.php
- http://{BLOCKED}u.servegame.com/sms/kt808.php
- http://{BLOCKED}rtsystem.net/sms/d_m009.php
- http://{BLOCKED}rtsystem.com/sms/d_m009.php
- http://{BLOCKED}te.myftp.org/sms/kt808.php
- http://{BLOCKED}5.my03.com/sms/kt808.php
- http://{BLOCKED}ppssecurity.com/ss/app.php
- http://{BLOCKED}pssecurity.net/ss/app.php
- http://{BLOCKED}artsecurity.net/ss/app.php
- http://{BLOCKED}artsecurity.com/ss/app.php
- http://{BLOCKED}tyappsmart.com/ss/app.php
- http://{BLOCKED}tyappsmart.net/ss/app.php
- http://{BLOCKED}ress.net/ss/app.php
- http://{BLOCKED}ub.net/ss/app.php
- http://{BLOCKED}k.net/ss/app.php
- http://{BLOCKED}i.com/ss/app.php
- http://{BLOCKED}w.com/ss/app.php
- http://{BLOCKED}d.net/ss/app.php
- http://{BLOCKED}x.net/ss/app.php
- http://{BLOCKED}i.net/ss/app.php
- http://{BLOCKED}ow88.my03.com/sms/me_v689.php
- http://{BLOCKED}tysmartconnect.net/ss/app.php
- http://{BLOCKED}slo.myftp.biz/sms/me_v689.php
- http://{BLOCKED}tysmartconnect.com/ss/app.php
- http://{BLOCKED}art-security.net/ss/app.php
- http://{BLOCKED}art-security.com/ss/app.php
- http://{BLOCKED}edol.servegame.com/ss/g.php
- http://{BLOCKED}ytvawg.mrbasic.com/ss/g.php
- http://{BLOCKED}icwyb.sendsmtp.com/ss/g.php
- http://{BLOCKED}smartconnect.net/ss/app.php
- http://{BLOCKED}smartconnect.com/ss/app.php
- http://{BLOCKED}ecureconnect.net/ss/g.php
- http://{BLOCKED}ecureconnect.com/ss/g.php
- http://{BLOCKED}pp-security.net/ss/g.php
- http://{BLOCKED}pp-security.com/ss/g.php
- http://{BLOCKED}ge.sendsmtp.com/ss/g.php
- http://{BLOCKED}rtsecurity.com/ss/g.php
- http://{BLOCKED}uenz.sytes.net/ss/g.php
- http://{BLOCKED}dwork.my03.com/ss/g.php
- http://{BLOCKED}ocal.net/zert/gate.php
- http://{BLOCKED}ew.sytes.net/ss/g.php
- http://{BLOCKED}tysapp.com/ss/app.php
- http://{BLOCKED}tysapp.net/ss/app.php
- http://{BLOCKED}est.net/zert/gate.php
- http://{BLOCKED}rt.com/zert/gate.php
- http://{BLOCKED}k.com/zert/gate.php
- http://{BLOCKED}ark.net/ss/app.php
- http://{BLOCKED}ade.com/ss/app.php
- http://{BLOCKED}est.com/ss/app.php
- http://{BLOCKED}ate.net/ss/app.php
- http://{BLOCKED}omo.net/ss/app.php
- http://{BLOCKED}le.com/ss/app.php
- http://{BLOCKED}sk.com/ss/app.php
- http://{BLOCKED}y.net/ss/app.php
- http://{BLOCKED}x.net/ss/app.php
- http://{BLOCKED}me.net/ss/app.php
- http://{BLOCKED}r.com/ss/app.php
- http://{BLOCKED}k.com/ss/app.php
- http://{BLOCKED}p.net/ss/app.php
- http://{BLOCKED}s.com/ss/app.php
- http://{BLOCKED}o.com/ss/app.php
- http://{BLOCKED}a.com/ss/app.php
SOLUTION
Step 1
Scan your computer with your Trend Micro product to delete files detected as ANDROIDOS_ZITMO.HBTA. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 2
Trend Micro Mobile Security Solution
Trend Micro Mobile Security Personal Edition protects Android and iOS smartphones and tablets from malicious and Trojanized applications. It blocks access to malicious websites, increase device performance, and protects your mobile data. You may download the Trend Micro Mobile Security apps from the following sites:
Did this description help? Tell us how we did.