Two Ztorg Trojans Removed from Google Play Store Are Definitely Better

For the second time in a month, Google removed malicious apps infected with the Ztorg Trojans that could allow attackers to root targeted devices.

Most software developers update their apps to patch vulnerabilities and add new features. But when the software is malware, an update could be the worst thing to do. The Google Play Store is always working to prevent malware from being downloaded by unsuspecting users and recently two apps built with the Ztorg malware were removed. The two apps, “Magic Browser” and “Noise Detector,” are believed to have been benign when they were originally uploaded to the Play Store, but the bad guys were updated the software using the malware toolkit over time.

The Ztorg Malware toolkit was identified by Kaspersky Labs in September, 2016 with “Guide for Pokémon Go.” At the time it was identified the Guide had been downloaded over 500,000 times and researchers estimate at least 6,000 successful infections. Since that time, dozens of apps associated with Ztorg have been distributed and eventually removed from the Google Play Store. And like all good developers, the bad guys using Ztorg are adding features and capabilities over time.

Once the initial app is installed, it utilizes a wide range of advanced techniques to evade detection, get updates from the Command and Control infrastructure and ultimately try to get Root on the phone. From Fortinet researchers:

• It implements many emulator detection features. It detects the Android SDK emulator, but also emulators from Genymotion, Bluestacks and BuilDroid. It also detects tainted environments. Several of its checks will be difficult to bypass.
• It uses string obfuscation, based on XOR.
• It communicates with a remote server using DES-CBC encryption.
• It downloads, installs and launches an Android application from that remote server.

What happens when your smartphone is infected with a Ztorg trojan? Like most malware, the bad guys’ ultimate objective is to make money. Initial Ztorg trojans leveraged AdWare to generate money for the bad guys through legitimate advertising networks. Some of the techniques included redirecting webpages, messing with search results and collecting information about what sites you visit. These are legitimate, if unwanted, business activities, but in the case of the bad guys distributing trojan apps, the users participate unknowingly. The bad guys get all the profits, and the users get a poorly performing phone, that may even become unstable or unusable.

The two apps recently removed from the Google Play Store, “Magic Browser” and “Noise Detector” show an evolution of Ztorg Trojan capabilities and include some nifty new techniques for making illegitimate money. Premium Rate SMS is a business model where an individual sends a specific text message and the fees are automatically charged to the user’s mobile phone bill. For example, you could donate money for disaster relief simply by texting an amount with your phone. The latest Ztorg trojan leverages this Premium Rate SMS system, with the proceeds going to the bad guys. And like the rest of the Ztorg system, they use some sophisticated techniques to maximize their profits and minimize their chances of being caught.

Once infected, the trojan lies dormant for 10 minutes. In this way, if the user notices something odd, they are less likely to associate it with the app they just installed. After the delay, the trojan sends the first five digits of the phone’s International Mobile Subscriber Identity (IMSI) to the C&C servers. This part of the IMSI identifies what network the phone is connected to, and in what country. With this information the C&C can determine which Premium Rate SMS services are available and the trojan starts racking up the bills. And since most of these SMS services will reply with a txt message receipt or notice, the Ztorg Trojans delete incoming SMS messages. It seems obvious that a user would notice missing legitimate messages, but in the meantime the bad guys are counting their profits.

Mobile phones are convenient because they are compact, powerful and use a lot of simple shortcuts to makeup for the lack of a keyboard and a large screen. App stores make it easy to install new apps but it isn’t always obvious what the apps themselves are doing.

“The Ztorg Trojan continues to appear on the Google Play Store, accompanied by new tricks to bypass security and infect as many different Android devices and OS versions as possible. Even if a victim downloads what is clearly a clean app, there is no guarantee that it will still be clean in a few days’ time. Users, Google and security researchers need to remain vigilant at all times and to be proactive about protection,” says Roman Unuchek, researcher at Kaspersky Labs.

About the author:  Steve Biswanger has over 20 years experience in Information Security consulting, and is a frequent speaker on risk, ICS and IoT topics. He is currently Director of Information Security for Encana, a North American oil & gas company and sits on the Board of Directors for the (ISC)2 Alberta Chapter.

Share On