To Top

Chinese App Stores Hit by SMS Malware, Half a Million devices Infected

We have been interminably reporting on the increasing presence of Android malware and how their tentacles are spreading tenaciously.

Reportedly, Chinese App stores are hit by the discovery of a new type of virus capable of running in stealth mode and instating unauthorized payments. As we know Google Play Store has been barred in China, but with Android on the rise in the South-Asian nations, these app stores have sprung to life.

TrustGo was the first to identify the presence of malware which is believed to have affected nearly 500,000 devices by now. The sophisticated malware has been nicknamed as ‘Trojan!SMSZombie’ and was first identified on July 25 by the firm.

TrustGo has successfully implemented a technique to remove the malware, which has potentially ‘barricaded’ into thousands of devices.

According to TrustGo, the virus is capable of making unauthorized payments, accessing bank/ credit card/ debit card details, details of past payments and bill history. The virus runs in complete stealth mode, thereby avoiding any detection. TustGo in fact was the first security specialist to cite the presence of the malware in Gfan- one of the most famous Chinese App Stores. The App Store has a combined membership of over half a million people. Though the count is puny in comparison to China’s 683 million subscribers, it still has enough potential to create sordid mayhem.

The creators of the malware were canny enough to build a potent virus which avoided any detection by running in complete stealth mode. They recharged accounts for online gaming sites and other anonymous services by making “relatively low” deposits from infected phones. The clandestine approach helped them to stay relatively inert and avoid any detection.

The malware exploits the vulnerability present in China Mobile’s SMS payment gateway system. As many users in China are using SMS to make payments, it becomes relatively easy for the malware to gain the details of bank cards and accounts.

TrustGo in its blog explains how the virus gains access to SMS functionality to make unauthorized payments:

The SMSZombie virus has been repackaged in numerous wallpaper apps, which attracts users with its alluring titles and pictures. When users use this app to set their device’s wallpaper, the app prompts the user to download additional files, which are associated with the virus. When the user gives the affirmation, the virus payload is received within a file named “Android System Service.”

After installation, the virus then tries to access administrator privileges on the installed device. It prompts the user for access. The developers were quirky enough to disallow cancellation from the user. Pressing the “Cancel” button only reloads the dialog box until the user eventually is forced to select “Activate” to stop the dialog box. These privileges would now disallow users to delete the given app. Uninstalling the app would cause the device to return to the home screen.

TrustGo also explains how the malware gets access of bank accounts and cards:

Using a configuration file that can be updated by the malware maker anytime, the malware can intercept and forward a variety of SMS messages. Because these messages often include banking and financial information, bank accounts can be easily hacked.

The presence of such malicious viruses is an acrimonious threat to openness of Android. Though users have the luxury to tinker with settings, customize the appearance and enjoy a wide number of apps, but enjoying all that at the cost of security does not sound like a fair-game to me.

More in Android