Security Alert: New Android Malware -- HippoSMS -- Found in Alternative Android Markets

By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University
On July 10th, my research team came across a new Android malware named HippoSMS in alternative Chinese App Markets. This malware will incur additional phone charges by sending SMS messages to a hard-coded premium-rated number. It will also block/remove short messages from legitimate mobile phone service providers to prevent users from knowing about the additional charges. We have tested with several leading mobile AV software and neither detected it.

How it works

Our investigation shows that HippoSMS directly piggybacks the host app so that when the app is launched, it will immediately activate one service to send SMS messages to a hard-coded premium-rated number (1066******). After that, it registers one ContentObserver to monitor incoming SMS messages. Inside the ContentObserver, it will delete any SMS message if it starts with the number "10." Note that the numbers such as 10086/10010 represent legitimate mobile phone service providers in China and are typically used to notify users about the services they are ordering and the information of users' current balance of their mobile phone accounts. As a result, we believe the removal of the related SMS messages is used to hide the additional charges caused from the malware.


To our knowledge, the malware targets users in China and we do not find the threat in the official Android Market. For mitigation, please follow basic, common-sense guidelines for smartphone security. For example,


Last modified: July 11th, 2011