New payment malware has already infected 500,000 Android devices in China

Posted on Aug 19 2012 - 3:18pm by Jonne Eilimö
« PREVIOUS
|
NEXT »
Android Malware

Android Malware

Android and malware has been a hot topic lately. Every new post that I read, the situation seems a bit more alarming. Last week we wrote that malware infections on Android have been on the rise, with infections growing threefold in Q2. Today we hear that a payment malware in China has already managed to infect 500,000 Android devices!

Trojan!SMSZombie is what this infectious malware is called. TrustGo discovered it roughly a month ago, and offers a service to remove the virus from infected handsets. They claim that the trojan has built-in defence mechanisms to keep it under the radar and avoid being removed. The trojan usually disguises itself with various types of wallpaper apps. It manages to install itself on the device when the user is prompted to install additional files, which they believe are associated with the selected wallpaper app. The trojan is then able to generate unauthorised payments, steal back card numbers and money transfer receipt information from the infected device.

The problem lies in the lack of Google Play (the Android Marketplace) in China. Users are forced to use 3rd party app stores in order to download new software. The app stores again can contain all types of malware, and malware infected applications. Even though you think you download a perfectly nice little wallpaper, it could come bundled together with a malware that tracks your doings.

This is yet again another warning for those that don’t use approved antivirus softwares on Android. Either install a working antivirus solution, or switch to a mobile operating system that is closed, i.e. iOS or Windows Phone.

Hit View Post to see what TrustGo has to say about Trojan!SMSZombie.

New Virus SMSZombie.A Discovered by TrustGo Security Labs

By TrustGo Security Labs On August 15, 2012 In Malware, Security

SUMMARY

On July 25th, 2012, analysts at TrustGo Security Labs discovered a new virus dubbed, Trojan!SMSZombie.A. This complex and sophisticated malware takes advantage of a vulnerability in the China Mobile SMS Payment process to generate unauthorized payments, steal bank card numbers and money transfer receipt information.

DETAILS

This malicious code has a number of features that make it difficult to detect and eradicate:

  • •  The malicious code is added to users’ devices after downloading and installing the app, so the apps themselves do not have malicious markers in the marketplace
  • •  The amount and timing unauthorized charges can be changed at anytime by the malware makers, so users are often unaware that they have been hacked
  • •  Once installed, the virus is able to disable users’ ability to delete it.

SMSZombiePay has been found on China’s largest mobile app marketplace, GFanand has been identified in the following packages:

  • com.ldh.no1
  • com.lzll.pic
  • com.xqxmn18.pic
  • com.gmdcd.pic
  • com.gsjnqt1.pic
  • com.zqbb1221.pic
  • com.bntsxdn.pic

The SMSZombie virus has been hidden in a variety of wallpaper apps and attracts users with provocative titles and pictures. When the user sets the app as the device’s wallpaper, the app will request the user to install additional files associated with the virus. If the user agrees, the virus payload is delivered within a file called “Android System Service.”

Once installed, the virus then tries to obtain administrator privileges on the user’s device. This step cannot be canceled by the user, as the “Cancel” button only reloads the dialog box until the
user eventually is forced to select “Activate” to stop the dialog box. These privileges disable users’ ability to delete the app, causing the device to return to the home screen even after choosing to uninstall the app.

Using a configuration file that can be updated by the malware maker at anytime, the malware can intercept and forward a variety of SMS messages. Because these messages often include banking and financial information, users accounts can easily be hacked further.

It has been confirmed that this virus has been used to recharge online gaming accounts via the China Mobile SMS Payment system. Commonly, the victim’s account is charged a relatively low amount to escape detection.

DETECTION & REMOVAL

TrustGo Antivirus & Mobile Security is the ONLY mobile security app that can detect the SMSZombie virus. All versions of TrustGo Mobile Security automatically are updated to detect it through our cloud services. Because of the advanced features of this virus, the only way to remove it is through manual processes described atwww.trustgo.com/en/smszombie-eliminate. TrustGo Security Labs is currently developing an automatic removal process to be included in the next update ofTrustGo Antivirus & Mobile Security, expected to be released in late August, 2012.

Read more: via

Like this post? Like us on Facebook to see when a new post is published.

About the Author

Jonne is a mobile phone enthusiast who is currently pursuing his Bachelor's degree in Computer Science at the Vaasa University of Applied Sciences. He has been using the newest phones out there ever since the Nokia 5110 was released. Currently he is using a Nokia Lumia 920.