Blog

SMS Worm.Gazon: New Mobile Malware spread by Amazon Gift Card SMS Spam

There is a Chinese proverb: ’A small spark can burn across a prairie’. It also applies to the malware world. A simple piece of malware is on the way to become one of the ’spammiest’ mobile malware outbreaks seen yet. This malware we have dubbed Gazon spreads via SMS with a shortened link to itself in the spam message, redirecting a potential victim to a webpage that promises an Amazon gift card if you install an APK file hosted on the page

Hey [NAME], I am sending you $200 Amazon Gift Card You can Claim it here : https://bit.ly/getAmazon[CENSORED]

Screenshot of scam Amazon page offering a free gift card

The malware passes itself as an app that gives Amazon rewards. However, the only thing it actually does is pulling up a scam page inside the app which asks you to participate in the survey.

Gazon SMS worm JavaScript behind fake survey presented to mobile user How fake Amazon Rewards App containing Gazon SMS worm appears as an application on smartphone screen Gazon SMS Worm fake Amazon page as it appears on mobile devices Screenshot of scam Amazon page offering a prize for completing a survey

Each of the options below ends up taking you to either another scam page or asks you to download a game in the Google Play. While you are busy clicking through pages the author just earns money through your clicks as we have seen in other pieces of mobile malware.

Fake Amazon survey page claiming free gift, linked to Gazon SMS worm Fake "clean your phone" scam screen on Android requesting user's mobile number Gazon SMS worm fake screen Gazon SMS worm scam advertisement page as it appears on a mobile device

However, in the background this malware harvests all your contacts and sends a spam message to each of them with the URL pointing to the body of the worm.

Thousands of people have seemingly installed this malware and been a victim. We are seeing over 4k infected devices in all of the major networks in North America, and we’ve blocked over 200k spam messages generated by these infected devices. Stopping the spread via messaging is critical as each one of these messages was an attempt to spread the app to an infected user’s contacts. Based on click-throughs from the shortened URL it also seems this malware has been encountered in multiple other countries as well, worldwide

At the moment none of the AV engines detect this malware according to VirusTotal.

List of anti-virus engines which have not detected an AmazonRewards APK file spreading Gazon SMS worm

The shortened URL account related to this malicious URL was actually connected to a FB account which seems to be owned by a real person.

Screenshot of the Facebook account connected to malicious URL containing Gazon SMS worm

According to the profile this spam campaign was not the first one for the owner of the profile. There was a link that redirects users to a scam page related to a previous WhatsApp spam, incidentally this shows the close links between the authors of mobile messaging spam and WhatsApp spam we have seen in other cases.

WhatsApp scam homepage"congratulations, you have been invited to WhatsApp calling!" linked with Gazon SMS Worm

The URL and the account have already been disabled and therefore further malware propagation is stopped.

However users should be aware of this scam, and as always, be careful clicking on links in text messages that seem suspect. In this case, like other worm malware we have seen recently, even messages your contacts send you may not be safe. The malware can be removed using standard Android app uninstall utilities.

If it doubt, don’t click, and it it is spam, report it to your service provider.

MD5 4a56c7abdc455c82e95753bdb1934285

SHA256 6ce53539d05d250ae1be6dfe44b43405a98d0454742eaacaf094e38eb2389a20

Thanks to Denis Maslennikov, Cathal Mc Daid & the bitly security team for their help.

Share this post