Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Android ‘Gazon’ worm proliferates through texts, infects more than 4k phones

Experts have discovered a new Android malware campaign that has infected more than 4,000 North American phones in less than a week.

The campaign involves victims receiving an SMS message from a familiar contact that prompts them to click on a link to a site which promises a $200 Amazon gift card, according to a blog post by Yicheng Zhou, security analyst at AdaptiveMobile. To receive the gift card, the recipient is asked to download an APK file from the malicious site.

If downloaded and opened, the app prompts victims to take a survey in order to receive the gift card. As users toil away on tasks to earn the reward, attackers reap the profit through referral traffic. They're also simultaneously harvesting the victims' contacts.

More than 16,000 people have clicked the malicious link, said Cathal Mc Daid, head of data intelligence and analytics at AdaptiveMobile, in an interview with

“This malware is just trying to spread on the promise of money payment,” Mc Daid said. “That's the main difference [between Gazon and other malware]. It's a better hook for people to actually accept this.”

The ruse also appears to have tricked users around the world, and no anti-virus engines are detecting the malware, AdaptiveMobile reported. 

The company has called the attack the "the single largest text-message-initiated mobile malware attack to date on Android."

“This piece of malware is quite simple,” Mc Daid said. “It's not doing the more dangerous types of activities, which is probably the reason why it wasn't being picked up by any of the anti-virus vendors. It's not doing those other more dangerous things that they normally look for.”

Interestingly, Mc Daid noted, the shortened URL account related to the initial malicious link connects to a legitimate Facebook account. Although he couldn't reveal the user's details, Mc Daid did say the user appears to have created shortened links for previous scams, including a WhatsApp spam campaign.

The user's account and URLs are now disabled. However, Mc Daid said the company has already seen new versions of the attack that demonstrate changes in how the malicious app is executed.

This attack comes amid new research that the number of financial malware attacks against Android users grew by 3.25 times in 2014.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.