Android malware news: a year after Zsone’s discovery, we’ve come across a new variant. Or at least a sample that causes us to ask, is a new variant under development? This new Zsone uses a native component for its SMS sending routine.
Here a code snippet from its binary component for sending SMS.
However, its SMS interception routine for preventing the broadcasting of message that come from “10086” or “1066185829” is not implemented or part of the native library.
The first variant, Trojan:Android/Zsone.A, has been known to exist on the official Android market.
Hopefully this new variant will not make it to Google Play. One wonders about the motivation of this development. We can see several possibilities of how the malware could utilize this new technique. Perhaps to defeat Google’s Bouncer?
Our Mobile Security detects this as Trojan:Android/Zsone.C.
Analysis by — Zimry
Leave a reply