A Zeus Trojan has been created designed to acquire authentication numbers from mobile phones to complete banking transactions.
Even if hackers manage to gain access to a bank account by obtaining a username and password, in some cases they will still require an mTAN - a mobile transaction authentication number, sent via SMS.
In this case, however, a Zeus variant was seen launching a webpage during online banking processes, where the user was forced to enter information about their mobile phone, including its model and number.
Then an SMS was sent to the online banker containing a link purporting to be for a security download, when in reality it was for a malicious application.
Once installed, the app monitored all incoming text messages, including those from a bank, allowing the cyber criminals to get hold of the mTAN.
The findings were initially made public by S21sec, a digital security services company, but now F-Secure has backed the research.
The malicious application can run on BlackBerry and Symbian devices. In the latter case, the malicious file is sold as a "Nokia update" and affects S60 3rd Edition mobile phones, F-Secure said.
S21sec said it has been in contact with mobile providers to help identify infected phones.
Having analysed the Zeus variant, it appears to be the work of people with "an excellent understanding" of mobile applications and social engineering, F-Secure added.
Sean Sullivan, F-Secure's chief security advisor, said his firm believes a number of customers will have been infected in Spain, as this is where the Trojan was identified, but he is interested to see if similar attacks hit the UK and elsewhere.
"I think [S21sec has] found this actually by backtracking from banking customers," Sullivan explained to IT PRO.
"I think the goal [was to] hit a number of key accounts, target some prime accounts that actually have hundreds of thousands."
