HippoSMS Malware Found in Alternative Chinese Application Markets



According to Xuxian Jiang, assistant professor @Department of Computer Science, NC State University, and his research team came across a new Android malware called HippoSMS in alternative Chinese application markets.

This is being verified as we write this article by all major anti-virus based companies, soon a security alert might be issued if the threat is not contained.

“This malware will incur additional phone charges by sending SMS messages to a hard-coded premium-rated number. It will also block/remove short messages from legitimate mobile phone service providers to prevent users from knowing about the additional charges. We have tested with several leading mobile AV software and neither detected it”.

How it works

Our investigation shows that HippoSMS directly piggybacks the host app so that when the app is launched, it will immediately activate one service to send SMS messages to a hard-coded premium-rated number (1066******). After that, it registers one ContentObserver to monitor incoming SMS messages. Inside the ContentObserver, it will delete any SMS message if it starts with the number “10.” Note that the numbers such as 10086/10010 represent legitimate mobile phone service providers in China and are typically used to notify users about the services they are ordering and the information of users’ current balance of their mobile phone accounts. As a result, we believe the removal of the related SMS messages is used to hide the additional charges caused from the malware.


To our knowledge, the malware targets users in China and we do not find the threat in the official Android Market. For mitigation, please follow basic, common-sense guidelines for smartphone security. For example,

  • download apps from reputable app stores that you trust; and always check reviews, ratings as well as developer information before downloading;
  • check the permissions on apps before you actually install them and make sure you are comfortable with the data they will be accessing;
  • be alert for unusual behavior on the part of mobile phones and make sure you have up-to-date security software installed on your phone.


Source: NC State University