Blog

New Virus SMSZombie.A Discovered by TrustGo Security Labs

By TrustGo Security Labs On August 15, 2012 In Malware, Security

SUMMARY


On July 25th, 2012, analysts at TrustGo Security Labs discovered a new virus dubbed, Trojan!SMSZombie.A. This complex and sophisticated malware takes advantage of a vulnerability in the China Mobile SMS Payment process to generate unauthorized payments, steal bank card numbers and money transfer receipt information.

DETAILS


This malicious code has a number of features that make it difficult to detect and eradicate:

  • •  The malicious code is added to users’ devices after downloading and installing the app, so the apps themselves do not have malicious markers in the marketplace
  • •  The amount and timing unauthorized charges can be changed at anytime by the malware makers, so users are often unaware that they have been hacked
  • •  Once installed, the virus is able to disable users’ ability to delete it.

SMSZombiePay has been found on China’s largest mobile app marketplace, GFan and has been identified in the following packages:

  • com.ldh.no1
  • com.lzll.pic
  • com.xqxmn18.pic
  • com.gmdcd.pic
  • com.gsjnqt1.pic
  • com.zqbb1221.pic
  • com.bntsxdn.pic

 

The SMSZombie virus has been hidden in a variety of wallpaper apps and attracts users with provocative titles and pictures. When the user sets the app as the device’s wallpaper, the app will request the user to install additional files associated with the virus. If the user agrees, the virus payload is delivered within a file called “Android System Service.”

Once installed, the virus then tries to obtain administrator privileges on the user’s device. This step cannot be canceled by the user, as the “Cancel” button only reloads the dialog box until the
user eventually is forced to select “Activate” to stop the dialog box. These privileges disable users’ ability to delete the app, causing the device to return to the home screen even after choosing to uninstall the app.

Using a configuration file that can be updated by the malware maker at anytime, the malware can intercept and forward a variety of SMS messages. Because these messages often include banking and financial information, users accounts can easily be hacked further.

It has been confirmed that this virus has been used to recharge online gaming accounts via the China Mobile SMS Payment system. Commonly, the victim’s account is charged a relatively low amount to escape detection.

DETECTION & REMOVAL


TrustGo Antivirus & Mobile Security is the ONLY mobile security app that can detect the SMSZombie virus. All versions of TrustGo Mobile Security automatically are updated to detect it through our cloud services. Because of the advanced features of this virus, the only way to remove it is through manual processes described at www.trustgo.com/en/smszombie-eliminate. TrustGo Security Labs is currently developing an automatic removal process to be included in the next update of TrustGo Antivirus & Mobile Security, expected to be released in late August, 2012.