Home / malware Trojan:Android/YZHCSMS.A
First posted on 19 July 2011.
Source: SecurityHomeAliases :
There are no other names known for Trojan:Android/YZHCSMS.A.
Explanation :
Trojan:Android/YZHCSMS.A sends SMS/MMS messages to premium rate numbers, potentially incurring unexpected/unwanted usage charges.
Additional Details
This trojan was founded as a trojanized version of an application related to a Chinse social network, PPXIU.
Installation
Before installation, the trojan displays the following permissions requests:
The permissions requested allow the program to observe the content of incoming SMS messages.
Trojan:Android/YZHCSMS.A is activated after a system reboot, or after the "Home" button is pressed.
Activity
Trojan:Android/YZHCSMS.A first reports its successful activation to a remote site:
- http://[...].waplove.cn:[...]/Wukong/android/[...]
It then obtains a lits of premium-rate telephone numbers from another remote site:
- http://domaindev.[...]widgets.com/ss/[...]
Note: at the time of writing, both sites are blocked by our Browsing Protection service.
The trojan then sends SMS messages to the obtained numbers. The SMS messages sent contain text that always starts with "YHZC" or "YZHC", appended with the phone's International Mobile Equipment Identity (IMEI) number and user value.
This behavior may incur significant usage charges to the unsuspecting user. The trojan includes a routine that attempts to disguise this behavior. The trojan will delete incoming SMS messages from the service provider that contain the chinese characters "bao yue" ("monthly" in English), without the user's knowledge.Last update 19 July 2011
