Android SMS Malware

According to SOPHOS’ ‘naked security’ blog, there are fake Android Applications making the rounds, which uses SMS (Text messages) to act similarly to a worm and infect as many people as possible. Applications such as ‘Heart App’ and ‘Self-time’ have been discussed and fixed previously, but the most recent malicious app (as of March 6th) goes by the name Gazon.

So how does one become infected by Gazon? It starts with having a friend (or other contact) that has been infected with it already. You would receive an SMS from this person which would contain an introduction, some message stating that they are sending you an amazon gift card, followed by a ‘link’ to where you can claim it. These links are usually obscured by URL shortening services such as Bitly, so they generally wouldn’t look like a normal domain name. If you were to follow this link, it would direct you to download and install Gazon, masquerading as an Amazon Rewards Application. Upon downloading and running this app, every contact that a user has becomes a viable target, as Gazon doesn’t limit itself to the amount contacts it will attempt to reach like Heart App and Self-time do. On top of this, pop-up ads will be displayed when using browsers, advertising games, vouchers and rewards (according to the article).

There are two things that I find interesting about this ordeal. The first is that this this app is not certified by Google, and thus does not appear on the Google Play store. The only way that this app can spread is through SMS, meaning that if you’ve ever gotten a message similar to this, than one of your contacts has fallen for this tactic and downloaded it. Furthermore, I could not find an ‘Amazon Rewards’ app on the Google Play store, legitimate or otherwise, meaning that its likely no such application exists. The second thing that I found interesting is how many ways that infection could be avoided with this app, which are not taken by the victims. For example, simply responding to the message by asking the contact what its all about would likely result in the contact confirming its spam. Similarly, someone upon being prompted to download the app could look it up on Google Play to check its legitimacy, and find that it is not legitimate. However, neither of these actions are taken, and thus the worm has proceeded to spread quickly.

The author of the malicious app has yet to be identified. Previous iterations of these kinds have apps are able to be tracked, such as the Heart App which was traced to a bored Chinese college student, but it depends on how well the authors are attempting to stay hidden. On that note the Self-time App, which is close to half a year old at this point, still has not been traced to any definitive creator.

Written By Jeff Gruttadauria

Articles Used: