Trojan:Android/YZHCSMS.A sends SMS/MMS messages to premium rate numbers, potentially incurring unexpected/unwanted usage charges.

Automatic

F-Secure's Mobile Security product blocks installation of this program with default settings (starting from database version 279).

This is a trojanized version of an application related to a Chinse social network, PPXIU.

Installation

Before installation, the trojan displays the following permissions requests:

The permissions requested allow the program to observe the content of incoming SMS messages.

Trojan:Android/YZHCSMS.A is activated after a system reboot, or after the "Home" button is pressed.

Activity

Trojan:Android/YZHCSMS.A first reports its successful activation to a remote site:

It then obtains a lits of premium-rate telephone numbers from another remote site:

Note: at the time of writing, both sites are blocked by our Browsing Protection service.

The trojan then sends SMS messages to the obtained numbers. The SMS messages sent contain text that always starts with "YHZC" or "YZHC", appended with the phone's International Mobile Equipment Identity (IMEI) number and user value.

This behavior may incur significant usage charges to the unsuspecting user. The trojan includes a routine that attempts to disguise this behavior. The trojan will delete incoming SMS messages from the service provider that contain the chinese characters "bao yue" ("monthly" in English), without the user's knowledge.