March 9, 2015 By Shane Schick 2 min read

You never want to look a gift horse in the mouth, but Android users who receive a text message about a free Amazon gift card should double-check to make sure they aren’t about to download mobile malware instead.

Gazon Mobile Malware Spreads

Researchers at Adaptive Mobile were among the first to raise awareness about Worm.Gazon, which spreads via SMS. In a series of screenshots, Adaptive Mobile shows how those who click on a link in the text messages are redirected to a bogus portal to take a survey. In the meantime, cybercriminals gain access to the user’s contact list to further spread the spam.

As CSO Online pointed out, cybercriminals have gotten used to exploiting Android devices with worms that harvest their personal information or lock users out until a ransom is paid. However, like some of the most successful hacking schemes, Gazon appears to rely largely on social engineering, or tricking users, rather than any flaws in the device’s operating system.

In this case, the supposed Amazon gift card is worth $200 — not large enough to seem overly suspicious, but similar to other marketing campaigns that ask for survey information in exchange for a chance to receive a prize. SC Magazine reported that beyond merely distributing the mobile malware to an Android user’s address book, requiring the victims to answer a series of questions means the cybercriminals are likely making money off some kind of advertising affiliate program, as well.

Targeting Android Users

Although the scam has already hit an estimated 4,000 North American users alone in less than a week, there may only be a subset of Android device owners at risk. According to the Sophos’ Naked Security blog, those who adhere to the default settings for the Google Play app store might be warned about installing apps from unknown sources such as an SMS URL.

For those who have been hoodwinked, the cybercriminals don’t seem focused on stealing banking information or other sensitive data. Instead, they seem primarily focused on users’ connections. This makes sense, since the wider Gazon’s reach becomes, the more incremental revenue can be generated by those behind it. In fact, ZDNet said Gazon’s distribution strategy is not only limited to text messages, but also spans to social media channels such as Facebook and Twitter.

Of course, as BGR points out, those whose Android smartphones get hit by the mobile malware can have their devices wiped or have it removed with off-the-shelf software tools. Once their address book has been compromised, however, it may be too late. Unlike a one-time Amazon gift card, that kind of data offers cybercriminals a gift that can keep on giving.

More from

How governance, risk and compliance (GRC) addresses growing data liability concerns

4 min read - In an era where businesses increasingly rely on artificial intelligence (AI) and advanced data capabilities, the effectiveness of IT services is more critical than ever. Yet despite the advancements in technology, business leaders are increasingly dissatisfied with their IT departments.According to a study by IBM's Institute for Business Value, confidence in the effectiveness of basic IT services among top executives has significantly declined. While AI promises transformational capabilities, particularly generative artificial intelligence (gen AI), the road to realizing these benefits…

Risk, reward and reality: Has enterprise perception of the public cloud changed?

4 min read - Public clouds now form the bulk of enterprise IT environments. According to 2024 Statista data, 73% of enterprises use a hybrid cloud model, 14% use multiple public clouds and 10% use a single public cloud solution. Multiple and single private clouds make up the remaining 3%.With enterprises historically reticent to adopt public clouds, adoption data seems to indicate a shift in perception. Perhaps enterprise efforts have finally moved away from reducing risk to prioritizing the potential rewards of public cloud…

Cybersecurity Awareness Month: Horror stories

4 min read - When it comes to cybersecurity, the question is when, not if, an organization will suffer a cyber incident. Even the most sophisticated security tools can’t withstand the biggest threat: human behavior.October is Cybersecurity Awareness Month, the time of year when we celebrate all things scary. So it seemed appropriate to ask cybersecurity professionals to share some of their most memorable and haunting cyber incidents. (Names and companies are anonymous to avoid any negative impact. Suffering a cyber incident is bad…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today