Skip to content
Naked Security Naked Security

Gazon – the Android virus that SMSes everyone

The Android SMS virus "Gazon" sends itself to everyone in your contact list - including your friends, your mum... ...and your customers. Not a good look.

Thanks to Rowland Yu of SophosLabs for the behind-the-scenes effort he put into this article.

Another Android SMS virus has been doing the rounds, masquerading as an Amazon Rewards app.

It’s called Gazon, and it follows in the footsteps of earlier Android viruses like Selfmite and Heart App.

The Heart App story ended quickly and abruptly, with the alleged perpetrator busted by Chinese police in just 17 hours.

It seems he wasn’t a hardened cybercriminal, but a youthful malware creator of the old school, who was bored during his college vacation and wanted to show off at other people’s expense.

As far as we know, the crooks behind Selfmite weren’t quite so obvious about their own identities, and have eluded detection so far.

Viruses and worms…

A virus, remember, differs from the usual sort of malware threat because it doesn’t just infect your device, but can actively distribute itself onwards to infecte others.

In the 1980s and 1990s, most malware was viral, because that was a good way of spreading in the days when many people weren’t on the internet at all, and when most of those who went online did so only intermittently.

Of course, the very act of spreading automatically often made viruses more obvious than their non-self-spreading counterparts (known simply as Trojan Horses, or Trojans).

So, from about 2000 onwards, viruses began to die out because crooks could simply use giant spam runs, or poisoned websites, to trick people into downloading and installing malware, one victim at a time.

SMS viruses

On Android, some malware has combined these techniques in order to create mobile viruses.

Unlike viruses that email a complete copy of themselves as email attachments, this family of malware takes a hybrid approach, sending your contacts an SMS with a link to the virus.

Gazon, for example, arrives like this:

That means the infection can spread even though SMses are limited to less than 200 bytes. (The virus itself is 2.5MB.)

It also means that the poisoned link arrives from someone whose contact list you are part of.

That, in turn, means you’re probably more likely to click the link, even if you’re only thinking of taking a quick look-see.

Protected by Play

Many of you, especially if you stick to our guidelines, are protected from this sort of infection by Google’s default behaviour of allowing Google Play apps only.

Google Play isn’t immune to malware, but your risk is very much lower if you stick to its vaguely-walled garden.

Google not only performs various security checks before allowing apps into its Play store, but also stands ready to block malicious apps retrospectively.

So even if Google misses a dodgy app at the start, it can change its mind later, stopping any future spread of the malware and withdrawing it from circulation on any devices that have already installed it.

However, reliance only on Google Play doesn’t cut it for everyone, not least in regions like China, where Play doesn’t exist.

The Gazon risk

If you do live your Android life “off-Google,” then you are at risk of malware like Gazon.

If you install it, the icon might give you the impression that it really is all about Amazon Rewards:

But Gazon’s primary goal seems to be to make cents-at-a-time revenue by taking you to online ads for things reward cards, movie vouchers, free games, and so on.

Sample popups seen by SophosLabs include the following:

The main problem with Gazon, at least for business users, is probably a social one: it aggressively advertises your insecurity to your contacts.

Unlike earlier SMS viruses, it doesn’t limit itself to your top five, or 20, or even 99 contacts: it tells as many people as it can.

That almost certainly includes people who do business with you, as well as just your friends and family.

Do you really want to announce to your customers that your phone is “crook-friendly”?

Jump to our '10 Tips for Preventing Mobile Malware'...


Free download (no registration, no time-limit)...


Paul, don’t you mean “leave this turned ON to reduce your malware exposure” below the Unknown Sources photo?


No. He means OFF. This checkbox enable installation of unknown software, by default only software blessed by Google can be installed.


Nope, if you leave it turned off (which is the default) your phone will refuse to install anything that’s not from Google play. If you turn it on the phone will allow installation from other app sources, including malicious ones – hence the extra risk.


It’s one of those “other way around” options – you turn the option ON in order to set the protection OFF :-)

(It’s on to *allow* unknown sources, not on to suppress them.)


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!