Gazon SMS Trojan targets Android users by promising Amazon gift cards

Gazon is a malware targeting Android phones that sends multiple SMS text messages to every contact in the victim’s phone book. After opening the malware on the Android device the victim is told that he has won an Amazon gift card for $200. To redeem the gift card the victim is asked to take a quick survey. By clicking the survey button the malware author gets money from advertisement in the application while in the background the malware sends an SMS text message to every contact in the victim’s phone book with the message: 

How it spreads and installs

The malware spreads via SMS text message from infected users as soon as the victim opens the malware (application). It has also spread via social media like Facebook and Twitter. The link where the malware was stored has now been disabled.

After the .apk has been downloaded the user will have to open “Settings – Security” and mark the “Unknown Sources” check box. After that he is able to install the application. The malware has no automatic startup technique.

Payload

After installing the malware on the device, an Amazon Reward icon appears in the Application window. When the Amazon Reward application is opened a big Amazon logo appears for a few seconds and the user is taken to a screen where he is told he can get a “Free $200 Amazon gift card” by taking a Survey.

By clicking “Take the Survey!” button the victim is asked to complete one of the tasks/offers bellow and by clicking that button is taken to a new page where he is told he has been selected for a “FREE APP!” The free applications are legitimate applications from the Google Play Store. The malware author receives money from the ad clicks.

getContacts() Here the malware goes through the victims contact list and creates an SMS text message including the contacts name to make it more believable.

sendSMS()

The URL that displays the Amazon Reward scam.

This is the screen that is displayed after the victim has clicked the “Take the Survey!” button.

And here is where the malware author makes money. By clicking on one of the free games the malware author earns a few cents for each click.

List of permission the application uses:

  • android.permission.SEND_SMS
  • android.permission.READ_CONTACTS
  • android.permission.INTERNET
  • android.permission.ACCESS_NETWORK_STATE

This SMS/Trojan is detected by CYREN as AndroidOS/Gazon.A.gen!Eldorado.

Read more about CYREN‘s Mobile Security for Android if you are thinking about adding mobile security to your product offering.