Home / malware Trojan:AndroidOS/SmsZombie.A
First posted on 28 September 2012.
Source: MicrosoftAliases :
There are no other names known for Trojan:AndroidOS/SmsZombie.A.
Explanation :
Trojan:AndroidOS/SmsZombie.A is a trojan that affects mobile devices running the Android operating system, that, while posing as a live wallpaper, can steal information and intercept your SMS messages.
Installation
You may install this trojan unintentionally when you download and install a wallpaper.
Trojan:AndroidOS/SmsZombie.A may arrive as any of the following installer packages:
- com.bntsxdn.pic.apk
- com.zqbb1221.pic.apk
- xqxmn18.apk
On installation, it can display changing live wallpapers, and may display the following information on the device, listing its capabilities:
Upon execution, Trojan:AndroidOS/SmsZombie.A displays a message similar to that seen in the below screenshot asking to install the program/live wallpaper to get 100 points. However, if you click "accept", an APK installer that is disguised as a .jpg is loaded, which when run, executes the payload.
Payload
Steals information
The trojan steals information from your mobile device, then sends this, via an SMS, to the following number:
13093632006
SmsZombie has been observed stealing the following information:
- Language settings
- Network type
- Android OS version
- Phone model
Intercepts SMS messages
The trojan intercepts SMS messages that are sent to your mobile device. It checks the message for specific substrings, and if found, it forwards the SMS to the number "13093632006". These messages may contain your private information, that the attacker may use for malicious purposes.
The original message is then deleted from your mobile device.
SmsZombie creates an .xml file in the path '/data/data/android.phone.com/files' that contains the substrings that act as filters to the SMS messages.
Analysis by Marianne Mallen
Last update 28 September 2012
