Security Alert: New Android SMS Trojan -- YZHCSMS -- Found in Official Android Market and Alternative Markets
By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University
While continuing an Android-related research project after the discovery of the DroidKungFu malware, my research team also came
across a new Android SMS trojan in the Official Android Market. This malware basically incurs hidden charges on users' phone bills by sending text messages to premium-rated numbers. These numbers are retrieved from the Internet. Our investigation shows that this SMS trojan has been in the official Android Market for at least three months. We also identified several other eight variants in alternative Chinese app markets and forums.
How it works
The YZHCSMS trojan runs as a background thread in infected apps. This background
thread can be triggered in a number of ways, such as when the system finishes booting or
the infected app runs. After being triggered, it first fetches a target service provider number from a remote server (through the getHttpUrl() method) -- "http://domainxxx.xxxxxxx.com/ss/dom/config.xml" -- and then sends a SMS message to it, incurring a charge on the user's phone bill. This URL-fetching-and-SMS-sending behavior will occur every 50 minutes.
The SMS messages sent will always start with a string "YZHC". Moreover, the SMS trojan will also attempt to cover its tracks by removing
any evidence about SMS messages that it has sent as well as billing messages received from the service provider.
As you can see the figure above, some variants will only remove messages related to a hard-code
premium-rated number. Other more sophisticated variants exist that more thoroughly remove evidence
of their activities.
- 6/8/2011: We have been busy in contacting or being contacted from leading mobile anti-virus companies and research labs, including Lookout, Kaspersky, F-Secure, Sophos, Google, Webroot, Symantec, ...
- 6/7/2011: We notified Google about the offending apps in the Official Android Market. They are currently being suspended from Android Market pending investigation
Last modified: June 7th, 2011