Hidden wallpaper app infects 500k Android devices

By Danielle Walker on Aug 22, 2012 8:06 AM
Filed under Security

Chinese marketplace hit.

Android malware that takes over user administration privileges with the intention of stealing victims' bank card numbers and making fraudulent purchases has spread through GFan, China's mobile app marketplace.

The backdoor trojan, called SMSZombie, was first discovered in late July by mobile security company TrustGo, and has since infected more than 500,000 Android devices, primarily in China.

“The most critical thing is that it actually takes over – it gets access to the system administrator,” said Jeff Becker, head of marketing at TrustGo. "In the background, it takes control over the ability to send SMS messages through the system."

The messages send payments to the attackers, who also are able to recover "confirmation" texts, which contain additional details that the fraudsters may be able to use to extract money from victims' bank accounts.

The virus spreads through infected wallpaper apps that are downloaded. According to a blog post written last week, TrustGo has identified several compromised apps on GFan.

When a user downloads the wallpaper app, they are prompted to download additional files, including one called “Android System Service," which contains the payload.

The trojan then interferes with the system to the point that a user cannot delete the app and forces the device to return to the smartphone's home screen.

“Once it takes over, it sends payment requests on its own,” Becker said. “There's an interface the developers can use to change the amounts, timing and destination of the payments.”

Smaller payments are charged to victims' accounts, with the intention that the fraud will go unnoticed. Becker said that unauthorised payments in the amount of $5 usually show up on victims' cell phone bill.

TrustGo said the malware is not a major threat to Android users in the United States, or those outside the impacted market in China, as the trojan targets a vulnerability specific to the Chinese mobile SMS payment process.

Becker said the system's weakness lies in its simplicity, as many users enable paid services through pre-paid SIM card accounts.

"This particular payment system must have fewer safeguards to make it work simply and efficiently," Becker explained. "Because the virus has acquired permissions to send and edit SMS messages on behalf of the user, China Mobile only knows that the payment has been authorised, [so] it deducts the amount immediately from the SIM card-connected account."

To avoid such threats, experts typically advise users only install applications from trusted marketplaces, like Google Play, formerly the Android Market.

This article originally appeared at scmagazineus.com

Follow us on Facebook and Twitter

Copyright © SC Magazine, US edition

Hidden wallpaper app infects 500k Android devices
Top Stories
Fast50 firms hit the Australian Open with CRN and Synnex
Select Fast50 companies watched the tennis from the distie's superbox.
Datacom clinches $21m crime-fighting deal
Managing sensitive IT systems for federal body CrimTrac.
Sign up to receive CRN email bulletins
Which was your strongest quarter of the 2014 calendar year?

Latest Comments
CRN Magazine

Issue: 334 | December 2014

CRN Magazine looks in-depth at the emerging issues and developments for the channel, and provides insight, analysis and strategic information to help resellers better run their businesses.