According to Axelle Apvrille, a senior antivirus researcher and analyst with Fortinet's French operation, the Zitmo malware has been spotted being distributed by Zeus malware-using gangs, presumably to intercept the one-time PINs used by European banks to authenticate specific online transactions.
According to Apvrille, there has been an active discussion on technical forums regarding Zeus gangs who are targeting Android users.
"We finally managed to get our hands on the mobile sample the Zeus PC trojans are propagating. Actually, it is not a new sample and has been detected under several names (Android.Trojan.SmsSpy.B, Trojan-Spy.AndroidOS.Smser.a, Andr/SMSRep-B), but it is far more scary when propagated by the Zeus gang", she says in her latest security posting.
Because the malware is posing as an Android banking activation application, she says, users install the app and, in the background, ZitMo listens to all incoming SMS messages and forwards them to a remote web server.
"It's simple, but just enough for the Zeus gang to grab your banking mobile transaction authentication numbers," she says.
Over at Sophos, fellow researcher Vanja Svajcer says that it has been quite clear that the gangs behind Zeus have been interested in developing malware for mobile platforms.
"However, until now we have not seen any evidence of Zeus targeting users who own Android or iOS (iPhone/iPad) devices", he said, adding that this was quite surprising, considering the popularity of the Android and iOS platforms and the growing prevalence of malware being written for the Google Android operating system in particular.
In the last couple of days, however, there has been quite a lot of discussion on the mobile malware analysis mailing lists about a version of an Android version of Zeus, he notes.
According to Svajcer, he and his team eventually concluded that this was a malicious application that Sophos products have been detecting as Andr/SMSRep-B since the end of May.
"The malicious application pretends to be an Android version of Trusteer Rapport banking security tool, and was served to devices running the Google Android OS by a web server which was set up to deliver Zbot malware to multiple platforms", he says in his latest security blog.
"After the fact, it was not difficult to connect the Android application with Zeus toolkit, although we could not conclude 100% that there was a connection", he adds.