Worm Gazon, fake Amazon gift card is targeting Android users

Android Gazon malware redirects a potential victim to a webpage that promises an Amazon gift card if you install an APK file hosted on the page.

There is a new piece of malware called “Gazon”, and according to “adaptivemobile” already 4000 android users are infected.

“Gazon” was discovered on 25 of February and until yesterday no major vendor was detecting it.

The good news is that some of these vendors are now detecting Gazon, which means that most probably will prevent the continuation of the spreading.

“Gazon spreads via SMS with a shortened link to itself in the spam message, redirecting a potential victim to a webpage that promises an Amazon gift card if you install an APK file hosted on the page” states the post from Adaptivemobile.

The delivered message uses the base model:

Hey [NAME], I am sending you $200 Amazon Gift Card You can Claim it here : https://bit.ly/getAmazon[CENSORED]

Normally all this starts with a received SMS from a person (that normally have your contact). The SMS contains a link that leads you thinking that you are accessing an application that provides you with amazon rewards but what is actual doing is redirecting you to a page where it will be asking you to participate in a survey.

The smart thing about this malware, that in my opinion made it pass under the radar for some time until now is that it will not try to steal your credit card information, or your paypal, etc etc, what in fact will be doing is if you finish the first survey it will ask you or to download a game or to do another survey and by that you will keep clicking pages, and the author of the malware is earning money per click.

The tricky part of this malware (or wouldn’t be called malware), it’s his spreading vector, and by that I mean that the malware steals your contacts and sends a spam message for every single contact, being that message the same one that the infected user first received.

One curious thing discovered by our colleagues in Adaptivemobile, is that a piece of the malware code points to a Facebook account of a real person, a person that was already involved in WhatsApp spam.

I strongly believe that people need to have double care, nowadays when using their mobile phone, if possible always check and re-recheck whatever app you are thinking in downloading, and if you receive something odd (even from a friend) don’t risk it.

About the Author Elsio Pinto

Elsio Pinto is at the moment the Lead Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

Published by Pierluigi Paganini

(Security Affairs – Gazon Android malware, mobile)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.