"SMSZombie" Malware Infects 500,000 Android Users In China

wiredmikey writes "Researchers have recently discovered a new sophisticated and resilient mobile threat targeting Android phones that is said to have infected about 500,000 devices, mainly in China. Called 'SMSZombie,' the malware is stubborn and hard to remove, but users outside of China have little to worry about with this latest discovery. The prime function of the mobile malware is to exploit a vulnerability in the mobile payment system used by China Mobile, making it of little value to the fraudsters outside of China. The malware takes advantage of a vulnerability in the China Mobile SMS Payment process to generate unauthorized payments to premium service providers, and can also remotely control the infected device. It has been spread via wallpaper apps that sport provocative titles and nude photos, and can only be removed using a lengthy process beyond the skills of a typical android user."

Re:"Lengthy Process"

[Thantik]

In addition to removing it from device administrators. Which is like 2 actual steps. It's very tame compared to what it _could_ take.

Re:"Walled garden"?

[fuzzyfuzzyfungus]

Apple is quite lucky that that nobody ever weaponized anything back in the good old days of Jailbreakme... In-browser TIFF exploit leading to full root access just by loading a web page.

Google, of course, is similarly lucky that nobody bothered to do anything wacky during the "yeah, everything you type gets silently dumped to a root shell, why do you ask?" period in early android...

Punchline is, the state of 'mobile' security(really, security in general) is pretty fucking dire, and the current frenzy to tie as many payment systems as possible to mobile phones is complete insanity, except from the perspective of the bottom lines of the respective payment processors, naturally.

Re:"Walled garden"?

[Shoten]

Sorry guys, but he's got a point. The attack vector here is an app that people voluntarily run, and the walled garden has been effective against that. Are there other vectors? Yeah. But that doesn't mean that his point about this one vector is wrong...it's not wrong at all. It took 5 years for the first malicious app to slip past Apple, and even then, the nature of how it all works meant Apple could remove it from everyone's iPhone with a single update. Android can't boast the same, either on the prevention or the remediation side. I don't hold any hate for either side, but this is just simple truth we're talking here. There have been scores of trojaned Android apps, and many for jailbroken iPhones as well...but only one, ever, for standard iPhones.

Re:"Walled garden"?

I'm not sure I agree with you, at least for iOS. Security was dire around v1.0, but now we're at 5.x going on 6.x and a lot has changed.

iOS is definitely more secure than Mac/Windows/Ubuntu.

There is always room for improvement, but iOS has sandboxing and code signing and full disk encryption with a hardware only encryption key derrivation algorithm, that is deliberately slow, providing a private key that can be erased remotely or after a few failed decryption attempts.

Re:"Walled garden"?

[fuzzyfuzzyfungus]

In the context of this article, it's probably worth noting that(even if the iPhone feature described works exactly as advertised) it is aimed at mitigating a completely different class of attack.

Disk encryption setups aim to protect a lost or stolen device, in the physical custody of the attacker, from revealing whatever information is on the disk. They have no effect when the device is on and operating under the user's credentials(transparency is considered a feature).

This attack in China is an attack on a live system, using the credentials of the user(or higher) to perform malicious operations as them. Even if the disk were encrypted in a suitably robust way, it'd be happily handing over whatever this bug asked for.