Android 'SMSZombie' Trojan infects 500,000 Chinese users

Difficult to de-install

Reports have emerged from China of an ingenious new backdoor Android malware attack that has infected hundreds of thousands of subscribers and can prove difficult to de-install without technical support.

Dubbed Trojan!SMSZombie.A - 'SMSZombie' for short - by one of the companies reporting on it, the malware is said to have spread through the largest Chinese Android marketplace, GFan, piggybacking itself as a back door on the back of porn-themed wallpaper apps.

The innovation is the use of a backdoor to install itself before the payload is downloaded. This makes detection harder, said the company that detected it, TrustGo.

The malware becomes active once it has been selected as the smartphone's wallpaper, after which it asks to download additional files in the form of what claims to be an 'Android system service.'

It then asks for administrator privileges (pressing the cancel button for this request simply throws up a dialog box each time), after which the user cannot disable the app using Android's 'uninstall app' function.

Beyond the fact that the criminals have control of the device and can intercept messages, the purpose is to defraud the user of money via payments exploiting an unspecified flaw in the China Mobile SMS Payment System.

Noticed as long ago as 25 July, TrustGo said that it believed the malware had infected more than 500,000 smartphones.

"It has been confirmed that this virus has been used to recharge online gaming accounts via the China Mobile SMS Payment system. Commonly, the victim's account is charged a relatively low amount to escape detection," said TrustGo.

SMSZombie is unlikely to affect subscribers in countries such as the US and UK, but its design indicates that attackers are thinking of ways to beat new layers of security added to protect Android systems.

All the same, SMS frauds via premium rate services are far from unknown, although such events have yet to sink receive wider publicity In May, a fake Angry Birds app was discovered that had infected 1,400 UK phone users, defrauding them of around £28,000 ($44,000).

In July, Trusteer reported on an Android Trojan being distributed to beat the SMS authentication systems used by European and US banks.

SMSZombie can be de-installed manually by following the instructions posted by TrustGo.

Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Imprivata OneSign®

Get identity and password proliferation under control, reduce helpdesk costs and extend secure, single sign-on access to any enterprise application with a single solution.

more »

Submit your own security event

Submit your training courses

Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.

Read More
more »