Android SMS Trojan

A new threat method is on, we cannot even trust Google’s Android Market for security anymore…
I am talking about a n Android platform based Trojan, that secretly sending a text message to a certain phone number.

Its nickname is zsone because the ID of the developer who registered this malicious app in the Android Market was zsone.
A a total of 13 apps are currently registered in the name of zsone and 10 out of them contain malicious codes.
Currently all 13 registered apps are banned from the market. So they cannot be downloaded any longer.

Currently the malicious behavior we observed only works in China, therefore if your location is in China, please check your system and see if any zsone’s apps appear on your device.

Below is the list of the malicious apps:

* iMatch
* 3D Cube horror terrible
* ShakeBanger
* Shake Break
* Sea Ball
* iMine
* iCalendar
* LoveBaby
* iCartoon
* iBook

Lets take for instance: iCalender from the list above…
Looking at the ‘iCalender’ SourceCode, you can see that after running the app, if showImg() is called five times, sensSms() will be called and a text message will be sent.


Then, it sends a text message to: ‘1066185829’, using sendTextMessage().
This number is used for premium phone calls in China. It is known for being a number for billing a kind of certain service.

The save() function below is a flag as explained above. It save the ‘Y’ value.

Also, this app separately installs smsReceiver and hides text messages that are received by a certain phone 특정 number:

There are some more static analysis available on Internet, like here:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: