A newly discovered mobile malware campaign cloaks itself as an Amazon voucher app before using a victim's contact list to spread to new targets.
Discovered by AdaptiveMobile, the campaign dubbed "Gazon" is touted as "one of the single largest messaging-initiated mobile malware outbreaks" recorded. The malware sends messages to a victim's contacts laden with malicious links -- which when opened, install malware on Android-based mobile devices.
As explained in the AdaptiveMobile blog, Gazon masquerades as an application which offers Amazon discounts and vouchers.
Since its original launch in the United States on 25th February, the campaign has infected thousands of mobile devices in more than 30 countries around the world -- including Canada, the UK, France, India, Korea, Mexico, Australia and the Philippines, according to the security team.
Gazon has spread through social media like wildfire, generating over 16,000 click-throughs across channels including Facebook and email. However, SMS messaging is the top route for the malware to spread -- accounting for over 99 percent of malicious message sending.
"By using the victims' own contacts, the attack exploits peoples' inherent trust when receiving messages from one of their own contacts. The speed with which this was able to spread around the globe shows how attackers are using mobile messaging as one of the most effective methods of distributing malware and achieving rapid global reach," said Simeon Coney, SVP of Security Practice at AdaptiveMobile. "To be able to detect, protect against and remediate from new threats it is critical to undertake constant proactive monitoring and control."
When the fake app is downloaded and opened, users are asked to participate in a survey to access Amazon vouchers. Victims are then required to click-through to other pages and download games from the Google Play store.
While a victim is busy clicking, the malware author is earning money -- just as the security team have seen with other examples of mobile malware. In addition, the malware is performing another task at the same time -- harvesting your contacts and sending a spam message to each of them with the URL pointing to the body of the worm.
The security firm says it has seen over 4,000 infected devices in "all of the major networks" in the US, and has blocked over 200,000 spam messages generated by these devices.
When AdaptiveMobile traced back the shortened URL further, it seems the campaign is linked to a Facebook account potentially owned by the malware author -- as the same account has also been linked to a now-defunct WhatsApp spam campaign. While the new campaign's URL and account have been disabled, it is worth remembering that links in text messages are often suspect -- even if sent by trusted sources.