virus logo Mobile Virus

Android/SmsZombie.A!tr

description-logoAnalysis

Android/SMSZombie.A!tr is a malware targetting Android mobile phones.
It is a Chinese wallpaper application.
Its malicious activity consists in installing another malicious package, detected as Android/SMSZombie.B!tr. That latter malware, Android/SMSZombie.B!tr, carries most of the malicious payload, i.e sending SMS messages, motoring incoming SMS messages or hiding messages from the victim.


Technical Details


Android/SMSZombie.A!tr malicious activity is limited to installing The main application is a Chinese wallpaper application that can come in the form of the packages com.gmdcd.pic, com.ldh.no1, com.bntsxdn.pic, com.hxmv696.pic, com.xqxmn18.pic, com.zqbb1221.pic, com.lzll.pic.
Upon installation, the application cannot be seen in the main phone menu, however, it can be seen in the list of wallpapers (refer Fig1)
Fig1 : The main wallpaper application
Once the user chooses the wallpaper for the first time, a notification as shown in Fig2 is seen by the user. It basically asks the user to click on the icon and install an application in order to receive 100 points.
Fig2 : Wallpaper notification
Upon clicking, a user confirmation - as shown in Fig3 - is required.
Fig3 : Installation confirmation required upon clicking the icon
The functions above are implemented by the BXWallActivity class of the package.
If the user clicks on the agree button, another application called "Android System Services" (in Chinese) is installed on the victim's phone that contains the malicious functions.
This functionality is implemented by the jifenActivity class. It reads the file a33.jpg in the package assets which is actually a malicious Android package (detected as Android/SMSZombie.B!tr) and installs it.
Permissions required by the application:
  • BIND_WALLPAPER

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extreme
FortiClient
Extended
FortiMail
Extended
FortiSandbox
Extended
FortiWeb
Extended
Web Application Firewall
Extended
FortiIsolator
Extended
FortiDeceptor
Extended
FortiEDR

Version Updates

Date Version Detail
2022-10-26 90.07257
2022-09-14 90.05983
2022-09-13 90.05937
2022-06-08 90.03077
2022-04-13 90.01362
2022-04-06 90.01152
2022-02-02 89.09263
2021-12-29 89.08213
2021-11-03 89.06533
2021-10-27 89.06323
ID 4100280
Released Aug 21, 2012
Description
Updated		 Sep 13, 2012
Aliases Aliases: Android:SMSAgent-AJ [Trj] (Avast), Android/SmsZombie.A!tr (F-Secure), HEUR:Trojan-Spy.AndroidOS.SMSZombie.a (Kaspersky), Trojan:AndroidOS/SmsZombie.A (Microsoft),Andr/SMSZomb-A (Sophos), Android.Smszombie (Symantec)
Platform Profile Android platform