May 11, 2011

Security Alert: Zsone Trojan found in Android Market

The Threat

Recently Google removed a Trojan, Zsone, from the Android Market that has the ability to subscribe users in China to premium rate QQ codes via SMS without their knowledge. A QQ code is a form of short code that can subscribe users to SMS update or instant message services and are primarily used in China. This malware was embedded in 10 apps by the developer named Zsone available on the Android Market and alternative markets. Lookout free and Premium users are already protected.  The infected apps from Zsone are:

  • iMatch,
  • 3D Cube horror terrible
  • ShakeBanger
  • Shake Break
  • Sea Ball, iMine
  • iCalendar
  • LoveBaby
  • iCartoon
  • iBook

Once the user starts the app on their phone, the app will silently send an SMS message to subscribe the user to a premium-rate SMS service without their authorization or knowledge. We discovered one instance (iBook) that could subscribe a user to three different services via three silent SMS messages sent. For users in China, this may result in charges to the affected phone owner’s mobile accounts. We have also found instances of this malware on alternative markets targeting Chinese users.

Who is Affected

Currently this threat affects Chinese Android phone owners who downloaded the app from the Android Market. The total number of downloads attributed to this app in the Android Market appears to be under 10,000.  All instances of the threat have been removed from the market.

How to Stay Safe

Lookout Free and Premium users are automatically protected from this threat and do not need to take further action.

As the number of malware exploits on smartphones increase, it is more important than ever to pay attention to the apps you’re downloading. Here are a few tips to stay safe:

  • Only download apps from trusted sources, such as reputable app markets. Remember to look at the developer name, reviews, and star ratings.
  • Always check the permissions an app requests. Use common sense to ensure that the permissions an app requests match the features the app provides.
  • Be alert for unusual behavior on your phone. This behavior could be a sign that your phone is infected. These behaviors may include unusual SMS or network activity. Check your mobile phone statement for any unusual charges.
  • Download a mobile security app for your phone that scans every app you download to ensure it’s safe. Lookout users automatically receive protection against this threat


2 comments
  1. mugabo says:

    This is good information to know (especially listing known affected apps); thank you for not only providing what I consider to be an indispensable security application for my phone, and again for disclosing known affected apps. Let me know if any of your team is in Seattle and would like a beer or four complimentary. :)

  2. [...] HongTouTou, PJApps, DroidDream/Rootcager, Bgserv, Zhash/Zeahache, Walk&Text/Walkinwat, Adsms, Zsone/Smstibook, Smspacem, Lightdd/Droid Dream Light, DroidKungFu/Legacy/Gonfu, Basebridge, YZHCSMS/Uxipp, [...]

Leave a comment