Android malware that takes over user administration privileges with the intention of stealing victims' bank card numbers and making fraudulent purchases has spread through GFan, China's mobile app marketplace.
The backdoor trojan, called SMSZombie, was first discovered in late July by mobile security company TrustGo, and has since infected more than 500,000 Android devices, primarily in China.
“The most critical thing is that it actually takes over – it gets access to the system administrator,” Jeff Becker, head of marketing at TrustGo, told SCMagazine.com on Monday. "In the background, it takes control over the ability to send SMS messages through the system."
The messages send payments to the attackers, who also are able to recover "confirmation" texts, which contain additional details that the fraudsters may be able to use to extract money from victims' bank accounts.
The virus spreads through infected wallpaper apps that are downloaded. According to a blog post written last week, TrustGo has identified several compromised apps on GFan.
When a user downloads the wallpaper app, they are prompted to download additional files, including one called “Android System Service," which contains the payload.
The trojan then interferes with the system to the point that a user cannot delete the app and forces the device to return to the smartphone's home screen.
“Once it takes over, it sends payment requests on its own,” Becker said. “There's an interface the developers can use to change the amounts, timing and destination of the payments.”
Smaller payments are charged to victims' accounts, with the intention that the fraud will go unnoticed. Becker said that unauthorized payments in the amount of $5 usually show up on victims' cell phone bill.
TrustGo said the malware is not a major threat to Android users in the United States, or those outside the impacted market in China, as the trojan targets a vulnerability specific to the Chinese mobile SMS payment process.
Becker said the system's weakness lies in its simplicity, as many users enable paid services through pre-paid SIM card accounts.
"This particular payment system must have fewer safeguards to make it work simply and efficiently," Becker explained. "Because the virus has acquired permissions to send and edit SMS messages on behalf of the user, China Mobile only knows that the payment has been authorized, [so] it deducts the amount immediately from the SIM card-connected account."
To avoid such threats, experts typically advise users only install applications from trusted marketplaces, like Google Play, formerly the Android Market.