AegisLab found that the apps published by "zsone" were embedded with following code segments (or similar ones) to send SMS in the background to subscribe some paid service at some point after the app was launched. Usersmay be charged for this unknown subscription. So far as we know it works in China. Google Inc. was got notified and now these apps was took away from the market.

     The analysis is as the following. Take "iCartoon" for instance, it sends SMS to 1066185829, 106601412004, 1066953930 when the users click to shift images for 5th time, with special coded text like YXX1 or 921X1 to subscribe unknown service. It does this just once, to prevent got noticed by the user.

             Figure 1: One of the message it sends to 1066185829 behind the scene ...

             Figure 2: Only deliver at 5th click....(iCartoon case)

       Figure 3: Deliver SMS just once and save a tag to mark whether it's been done or not. 'Y' means done.

            Figure 4: Save a tag by SharedPreferences...


     Currently the malicious behavior we observed only works in China, therefore if your location is in China, please check your system and see if any zsone's apps appear on your device. If so, please remove it immediately or install AegisLab Antivirus tools to scan for you.

     Below is the list we found that are published by zsone and are suspicious (iSMS/iLife are not included,  still investigating):

iBook
iCartoon
LoveBaby
3D Cube horror terrible
Sea Ball
iCalendar
iMatch 对对碰
Shake Break
ShakeBanger
iMine
iGuide

   Table 1: Apps that are suspicious.          

By AegisLab