We recently encountered ANDROIDOS_SMSZOMBIE.A, an Android Trojan targeting China Mobile subscribers that takes control of a device’s SMS functionality. It can send, forward, and drop SMS messages. What makes this more troubling for users is the fact that this malware is difficult to uninstall. A dedicated removal tool will be released to Google Play and Chinese app stores next week.
As other researchers have noted, this Trojan takes advantage of a vulnerability in the China Mobile SMS payment process to generate unauthorized payments, steal bank card numbers and money transfer receipt information.
How does this threat arrive on user devices? It is usually wrapped by a wallpaper app. Once installed, it can be enables by clicking Menu > Wallpaper > Live Wallpapers.
What does this app do once it is installed on the user’s device? When first run, it sends the app version and device information (model, OS, language, network) to a “control number” via SMS.
Once running, it has the following capabilities:
- Forward every received SMS message
- Drop SMS which contains words in a configurable list
- Send SMS messages
- “Write” an SMS message into the inbox
All of these capabilities are controlled via SMS messages sent by the attacker to the device. These instructions are all in the following XML format:
| TAG | Description |
| S | change the currently configuration |
| J | write the currently to phone.xml |
| M | send SMS with value specified by tags con and rep |
| con | set SMS content |
| rep | set SMS number |
| E | write a SMS to inbox with value specified by xgh and xgnr |
| xgh | set sms number |
| xgnr | set sms content |
For example, if the attacker wants to send a SMS from the infected device to China Mobile, he can send the following content to the device:
<con>11</con><rep>10086</pre><M></M>
Configuration files are in XML format as well:
| TAG | Description |
| D | control number |
| n | keyword in SMS content, if it contains the keyword, this Trojan will drop the message |
| zdh | keyword in number, if an SMS is from this number, the message will be dropped and not received by the user. |
How does this app prevent itself from being uninstalled? It does the following actions to do this:
- The wrapper app will check the Trojan’s state. If the Trojan is uninstalled the wrapper app will ask the user to install the Trojan. Alternately, if the Trojan is stopped, the wrapper will restart the service.
- If any of the Trojan’s service are stopped, it will start the service again.
- If any of the following are opened, the user will be returned to their home screen:
- Device administrator settings
- Trojan’s application detail
- The app 360safe
- If the Trojan is not active as a device administrator, it will keep asking to be activated as such.
- When the Trojan is deactivated from being a device administrator, the user is led to believe that deactivating it will cause errors.
Here are the steps you need to perform to manually uninstall this malware:
- First of all, uninstall the wrapper wallpaper app.
- Use a third-party app to terminate android.phone.com.
- Deactivate the Trojan from being a device administrator. Ignore any warnings by pressing the home button.
- Terminate android.phone.com again.
- Uninstall the Trojan normally.
To automate the above process, Trend Micro will release a dedicated detection and removal app. We will update this post with a link to the said tool once it has been released.
Leave a reply
