Aggressive Android trojan SMSZombie detected in China

Analysts at TrustGo Security Labs have discovered the Trojan!SMSZombie.A, a new trojan, according to an official blog post. It is a complex and sophisticated malware that exploits a vulnerability in the China Mobile SMS Payment System to fund unauthorised payments, steal bank card numbers and receipt information regarding money transfers. The trojan is difficult to detect, and even more difficult to remove. The malicious code piggybacks on a wallpaper app found in GFan, China's largest Android marketplace. The trojan installs itself on a device after its user has downloaded and installed the app, making detection difficult. As a result, the wallpaper app is not flagged as malicious in the marketplace. Further, the trojan can change the amount and timing of unauthorised charges; that way most times users don't know that they have been hacked. 

Researchers discover difficult to detect malware

Through the course of investigation, researchers at TrustGo found that the malware is used to recharge online gaming accounts of the hackers via the China Mobile SMS Payment System. To avoid being caught, the amount wiped out is usually relatively low. 

Once installed, the app is potent enough to terminate a user's ability to remove it or disable it. The blog post has listed a number of packages in which it can be found -- com.ldh.no1, com.lzll.pic, com.xqxmn18.pic, com.gmdcd.pic, com.gsjnqt1.pic, com.zqbb1221.pic and com.bntsxdn.pic. 

The blog post reveals that the wallpaper app in which the malware has been concealed gets the users' attention with provocative titles and images. Once a user sets one of the wallpapers as the device's wallpaper, the app further asks the user to install more files associated with the trojan. If the user agrees, then the payload included in a file called 'Android System Service' is installed. Then the malware attempts to get administrator privileges on the device. Here, a user cannot cancel the step and deny administrator access to the malware. Hitting the "Cancel" button causes the dialog box to keep reappearing until the user chooses "Activate". This way, users find themselves unable to delete or disable the app. 

Researchers have found that by using a configuration file, which can be updated by the makers of the malware at any time, it is possible for the malware to intercept and forward text messages. As SMSes sometimes include banking information and other financial details, the malware can wreak further havoc in user accounts. 

Know more about the trojan.

Cover Image credit: Getty Images