skip to Main Content

Analysis of Android.Zitmo-Urlzone

Intro: What is Android.Zitmo-Urlzone?
Android.Zitmo-Urlzone is the mobile “add-on” for the banking trojan Urlzone. This app, known as a Zeus In The Mobile variant, steals incoming SMS messages and uploads them to the remote server. Its primary purpose is to defeat online banking’s two factor authentication by intercepting confirmation SMS sent by the banks to their customers (mTAN).

Step 1: Forcing the User to Install the App
If the Windows PC of a user is compromised with Urlzone and the user tries to browse to his bank website a message is shown after the login presenting a new security solution which is now obligatory in order to use the online banking service in the future. The new solution pretends to be an Android application that protects the phone’s SMS messages from being intercepted by a Trojan installed on the smartphone.

Urlzone - Webinject

Details (Pop-up)

Phone Number Validation

Waiting for activation code
To complete the installation, the user has to enter an activation code generated by the malicious app.

You can see the login credentials as plain text in the source code of the web page.



Android Security Warning Enable the checkbox for Unknown sources


Unknown Sources Warning Permissions


(Malicious) Application installed Your Password!


Smart 1.2 App Security

The malicious application has the following characteristics:

Original name: SmartSecurity_ver_1_2.apk
MD5: 5f6b00bd0c7567e2a327eac8455aa4a7
SHA-1: da661e06cf48a5f7921af202589a6d6c72c5439e
ssdeep: 1536:/vWTBfBIjpOIB6GJ5I5MBHGPMKOeDIWS2Fw:XMBpIlOIBh3Iu7e1M
File Size: 103.078 Bytes


Submission date: 2013-09-12 07:28:33 UTC
Result: 23/47

Android.Zitmo-Urlzone.rar (password is infected)

Before analyzing the Dalvik code or Java source code we have to go through the AndroidManifest.xml file to understand the application’s characteristics.

Below the manifest file:

<?xml version="1.0" encoding="utf-8"?>
<manifest android:versionCode="1" android:versionName="1.0" package=""
    <application android:theme="@style/AppTheme" android:label="@string/app_name" android:icon="@drawable/zamok" android:allowBackup="true">
        <activity android:label="@string/app_name" android:name="">
                <action android:name="android.intent.action.MAIN" />
                <category android:name="android.intent.category.LAUNCHER" />
        <service android:name=".IDLEService" android:enabled="true" />
        <receiver android:name=".SmsReceiver">
            <intent-filter android:priority="1000">
                <action android:name="android.provider.Telephony.SMS_RECEIVED" />
        <receiver android:name="" />
        <receiver android:name=".onBootReceiver" android:enabled="true" android:exported="false">
                <action android:name="android.intent.action.BOOT_COMPLETED" />
    <uses-permission android:name="android.permission.RECEIVE_SMS" />
    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
    <uses-permission android:name="android.permission.INTERNET" />
    <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
    <uses-permission android:name="android.permission.SEND_SMS" />
    <uses-permission android:name="android.permission.READ_PHONE_STATE" />
    <uses-permission android:name="android.permission.WAKE_LOCK" />

## Requested Permissions ##
android.permission.RECEIVE_SMS (receive SMS):
Allows an application to receive and process SMS messages.
Malicious applications may monitor your messages or delete them without showing them to you.

android.permission.ACCESS_NETWORK_STATE (view network status):
Allows an application to view the status of all networks.

android.permission.INTERNET (full Internet access):
Allows an application to create network sockets.

android.permission.RECEIVE_BOOT_COMPLETED (automatically start at boot):
Allows an application to start itself as soon as the system has finished booting.

android.permission.SEND_SMS (send SMS messages):
Allows an application to send SMS messages.
Malicious applications may cost you money by sending messages without your confirmation.

android.permission.READ_PHONE_STATE (read phone state and identity):
Allows an application to access the phone features of the device. An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and so on.

android.permission.WAKE_LOCK (prevent phone from sleeping):
Allows an application to prevent the phone from going to sleep.

## Activities ##
From the manifest we can identify the Main Activity between the activity tags:

        <activity android:label="@string/app_name" android:name="">
                <action android:name="android.intent.action.MAIN" />
                <category android:name="android.intent.category.LAUNCHER" />

So is the main activity and it’ll be the first class invoked from the malware.

Last but not least we can also check Services and Receivers:

## Services ##

<service android:name=".IDLEService" android:enabled="true" />

## Receivers ##

        <receiver android:name=".SmsReceiver">
            <intent-filter android:priority="1000">
                <action android:name="android.provider.Telephony.SMS_RECEIVED" />
        <receiver android:name="" />
        <receiver android:name=".onBootReceiver" android:enabled="true" android:exported="false">
                <action android:name="android.intent.action.BOOT_COMPLETED" />

Now that we’ve analysed the Manifest, we can take a look at code.

The method onCreate() is what we are interested in, so here’s the code:

  protected void onCreate(Bundle paramBundle)
    j = getApplicationContext();
    if (!b[0].isEmpty())
    if (f.isEmpty())
      ((Button)findViewById(2131165187)).setOnClickListener(new c(this));

The malware is clearly able to survive the reboot. If you scroll up to the manifest explanation you’ll see that RECEIVE_BOOT_COMPLETED permission and OnBootReceiver receiver are requested in order to remain persistent on the system.

Here its code:

public class onBootReceiver extends BroadcastReceiver
  public void onReceive(Context paramContext, Intent paramIntent)
    if ("android.intent.action.BOOT_COMPLETED".equals(paramIntent.getAction()));
      if (!MainActivity.b[0].isEmpty())
    catch (Exception localException)

Checks if internet connection is available:
Source: –> API Call:
Source: –> API Call:

Queries the unqiue device ID (IMEI, MEID or ESN):
Source: –> API Call: android.telephony.TelephonyManager.getLine1Number
Source: –> API Call: android.telephony.TelephonyManager.getDeviceId

## File operations ##
write /data/data/

Hardcoded URL’s:

Found URLs

URL Parameters

POST Requests:

POST Requests
TCP Stream

Step 2: The Trojan Action
After the Trojan has been installed successfully, all incoming SMS messages will be intercepted and send to the attacker’s server.


Below the callgraph:

APK Tool – A tool for reverse engineering Android apk files
dex2jar – Tools to work with android .dex and java .class files
Manifest.permission | Android Developers

Back To Top