Threat Descriptions

Trojan:Android/YZHCSMS.A

Classification

Category :

Malware

Type :

Trojan

Platform :

Android

Aliases :

YZHCSMS, YZHCSMS.A, YZHCSMS.B

Summary

Trojan:Android/YZHCSMS.A sends SMS/MMS messages to premium rate numbers, potentially incurring unexpected/unwanted usage charges.

Removal

Once the scan is complete, the F-Secure security product will ask if you want to uninstall the file, move it to the quarantine or keep it installed on your device.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

This is a trojanized version of an application related to a Chinse social network, PPXIU.

Installation

Before installation, the trojan displays the following permissions requests:

The permissions requested allow the program to observe the content of incoming SMS messages.

Trojan:Android/YZHCSMS.A is activated after a system reboot, or after the "Home" button is pressed.

Activity

Trojan:Android/YZHCSMS.A first reports its successful activation to a remote site:

  • https://[...].waplove.cn:[...]/Wukong/android/[...]

It then obtains a lits of premium-rate telephone numbers from another remote site:

  • https://domaindev.[...]widgets.com/ss/[...]

Note: at the time of writing, both sites are blocked by our Browsing Protection service.

The trojan then sends SMS messages to the obtained numbers. The SMS messages sent contain text that always starts with "YHZC" or "YZHC", appended with the phone's International Mobile Equipment Identity (IMEI) number and user value.

This behavior may incur significant usage charges to the unsuspecting user. The trojan includes a routine that attempts to disguise this behavior. The trojan will delete incoming SMS messages from the service provider that contain the chinese characters "bao yue" ("monthly" in English), without the user's knowledge.

Other variant

  • Trojan:Android/YZHCSMS.B