SMS Worm.Gazon: New Mobile Malware spread by Amazon Gift Card SMS Spam
There is a Chinese proverb: ‘A small spark can burn across a prairie’. It also applies to the malware world. A simple piece of malware is on the way to become one of the ‘spammiest’ mobile malware outbreaks seen yet. This malware we have dubbed Gazon spreads via SMS with a shortened link to itself in the spam message, redirecting a potential victim to a webpage that promises an Amazon gift card if you install an APK file hosted on the page
Hey [NAME], I am sending you $200 Amazon Gift Card You can Claim it here : https://bit.ly/getAmazon[CENSORED]
The malware passes itself as an app that gives Amazon rewards. However, the only thing it actually does is pulling up a scam page inside the app which asks you to participate in the survey.
Each of the options below ends up taking you to either another scam page or asks you to download a game in the Google Play. While you are busy clicking through pages the author just earns money through your clicks as we have seen in other pieces of mobile malware.
However, in the background this malware harvests all your contacts and sends a spam message to each of them with the URL pointing to the body of the worm.
Thousands of people have seemingly installed this malware and been a victim. We are seeing over 4k infected devices in all of the major networks in North America, and we’ve blocked over 200k spam messages generated by these infected devices. Stopping the spread via messaging is critical as each one of these messages was an attempt to spread the app to an infected user’s contacts. Based on click-throughs from the shortened URL it also seems this malware has been encountered in multiple other countries as well, worldwide
At the moment none of the AV engines detect this malware according to VirusTotal.
The shortened URL account related to this malicious URL was actually connected to a FB account which seems to be owned by a real person.
According to the profile this spam campaign was not the first one for the owner of the profile. There was a link that redirects users to a scam page related to a previous WhatsApp spam, incidentally this shows the close links between the authors of mobile messaging spam and WhatsApp spam we have seen in other cases.
The URL and the account have already been disabled and therefore further malware propagation is stopped.
However users should be aware of this scam, and as always, be careful clicking on links in text messages that seem suspect. In this case, like other worm malware we have seen recently, even messages your contacts send you may not be safe. The malware can be removed using standard Android app uninstall utilities.
If it doubt, don’t click, and it it is spam, report it to your service provider.
MD5 4a56c7abdc455c82e95753bdb1934285
SHA256 6ce53539d05d250ae1be6dfe44b43405a98d0454742eaacaf094e38eb2389a20
Thanks to Denis Maslennikov, Cathal Mc Daid & the bitly security team for their help.