Security Alert: New Android SMS Trojan -- YZHCSMS -- Found in Official Android Market and Alternative Markets

By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University
While continuing an Android-related research project after the discovery of the DroidKungFu malware, my research team also came across a new Android SMS trojan in the Official Android Market. This malware basically incurs hidden charges on users' phone bills by sending text messages to premium-rated numbers. These numbers are retrieved from the Internet. Our investigation shows that this SMS trojan has been in the official Android Market for at least three months. We also identified several other eight variants in alternative Chinese app markets and forums.

How it works

The YZHCSMS trojan runs as a background thread in infected apps. This background thread can be triggered in a number of ways, such as when the system finishes booting or the infected app runs. After being triggered, it first fetches a target service provider number from a remote server (through the getHttpUrl() method) -- "http://domainxxx.xxxxxxx.com/ss/dom/config.xml" -- and then sends a SMS message to it, incurring a charge on the user's phone bill. This URL-fetching-and-SMS-sending behavior will occur every 50 minutes.


The SMS messages sent will always start with a string "YZHC". Moreover, the SMS trojan will also attempt to cover its tracks by removing any evidence about SMS messages that it has sent as well as billing messages received from the service provider.

As you can see the figure above, some variants will only remove messages related to a hard-code premium-rated number. Other more sophisticated variants exist that more thoroughly remove evidence of their activities.

Follow-ups:

Last modified: June 7th, 2011