Google cracks down on Ztorg Trojans plaguing the Play app store

The malware sends premium rate messages through Android devices to plunder your bank account.

These are the most common threats to Android smartphones

Google has been forced to step in and remove malicious apps potentially capable of rooting devices and sending expensive SMS messages from the Google Play Store.

When you download a mobile application from an official source, such as the Google Android Play Store or the Apple iOS App Store, you expect such software to be legitimate and safe to use.

But sometimes malicious apps slip through the net.

Since September 2016, Kaspersky Labs has found several dozen malicious apps in Google Play, all of which were malware variants able to root infected devices able to exploit the Android operating system to conduct activities including spying, surveillance, downloading additional malware, and taking full control of devices.

It seems the successful submission of malware to the Android app store has continued. Kaspersky Lab researchers say that in May, two new Trojan apps have been found.

The first malicious app, called "Magic Browser," is meant to speed up surfing the web. Uploaded to Google Play on May 15, it has been installed over 50,000 times.

screen-shot-2017-06-21-at-09-33-24.jpg

The second app is called "Noise Detector," and is described as software which is able to monitor and record environment noise. This application has been installed over 10,000 times.

screen-shot-2017-06-21-at-09-33-35.jpg

Both applications contain the Ztorg Trojan. While not a rooting malware, the Trojan can still cause serious harm as it is able to send premium-rate SMS messages from an infected phone without the user's consent.

Once downloaded and deployed on a device, the malware has been instructed to remain dormant for 10 minutes to alleviate suspicion. When this time is up, the Trojan connects to its command and control (C&C) server before making two GET requests to gain the device's International Mobile Subscriber Identity (IMSI).

With this number secured, the operators can identify the country code and mobile operator of the user's device, which is needed to point premium rate SMS messages in the right direction.

When messages start to come through, the malware then turns off the device's sound and deletes all incoming messages to prevent the user from noticing that anything is wrong.

As it is often the ultimate goal of cybercriminals to make money, the Trojan will then send premium SMS messages, but if sent advertising offers from the C&C, it will also show these ads to the user to generate additional revenue.

In total, Magic Browser tries to send SMS messages from 11 different places, while Noise Detector contains similarities in its code.

Other samples of the Trojan found in apps outside of Google's store suggest that the Trojan has also been upgraded with additional functionality and tools, such as the potential to perform clickjacking attacks and sign up users to WAP billing programs without permission.

Kaspersky believes that the apps were uploaded for different purposes. The first, Magic Browser, may have been uploaded as a test to see if the cybercriminals could get away with certain functions, while Noise Detector was uploaded with the standard version of Ztorg.

"In the process of uploading they decided to add some malicious functionality to make money while they were working on publishing the rooting malware," the cybersecurity firm says. "It is likely that, if the app hadn't been removed from Google Play, they would have added this functionality at the next stage."

The apps were reported to Google and swiftly removed from the store, but for those that have already compromised their devices by downloading the software, deleting the apps is paramount. It would also be worth looking into a mobile malware scanner to remove any malicious files leftover and help limit the risk of future infections.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All