Ztorg malware: Infected apps on Google Play Store send premium SMS texts, delete incoming messages

Malicious apps capable of sneaking malware onto unsuspecting users' Android devices to send expensive premium-rate SMS texts and delete incoming SMS messages have been found on the Google Play Store. Kaspersky lab analyst Roman Unuchek found two such apps in late May that were collectively downloaded over 60,000 times.

Kaspersky identified the new strand of the Ztorg Trojan as Trojan-SMS.AndroidOS.Ztorg.a, which was found in two apps on Play Store.

The first app, dubbed Magic Browser, claimed to be an internet browser, was uploaded to Google Play on 15 May this year and was downloaded over 50,000 times. The second one - Noise Detector - claimed to be able to measure the decibel level of sounds, was downloaded over 10,000 times.

Both the Trojan apps were reported to Google and have been deleted from the Play Store.

After an unsuspecting user installs and starts the malware-laden app, the Trojan waits for 10 minutes before connecting to its command and control (C&C) server, Unuchek explains.

It then makes two GET requests to the C&C, the first of which includes the first three digits of the Android device's International Mobile Subscriber Identity (IMSI). Once it receives some data from the server, it sends a second GET request which includes the first five digits of the IMSI.

The first three digits of the device's IMSI are the MCC (mobile country code) while the third and fourth are the MNC (mobile network code).

"Using these digits, the cybercriminals can identify the country and mobile operator of the infected user. They need this to choose which premium rate SMS should be sent," Unuchek said.

The Trojan then sends premium rate SMS messages, turns off the infected device's sound and begins to delete all incoming SMS to prevent the user from figuring out that something is wrong. Threat actors can use the malicious code to perform clickjacking attacks, open advertising URLs and sign up users to WAP billing programs without permission to steal money from the user's mobile account.

The Kaspersky researcher said he found similar malicious apps with the same functionality distributed outside the Google Play Store as well.

"The concept of Android Trojans sending premium SMS messages is almost as old as Android malware itself; the technique has long been a way for cybercriminals to make quick, easy money," Kaspersky notes.

Unuchek believes the infected Magic Browser app was uploaded to the Google Play Store by the cybercriminals as a test to see if they could upload this kind of functionality. The Noise Detector app, on the other hand, was uploaded with the standard version of the Ztorg malware.

"In the process of uploading they decided to add some malicious functionality to make money while they were working on publishing the rooting malware," Unuchek said. "It is likely that, if the app hadn't been removed from Google Play, they would have added this functionality at the next stage."

Last year, the malicious "Guide for Pokémon Go" app that was found lurking on the Google Play Store was built around the Ztorg malware. That app was downloaded over 500,000 times and was able to root victims' Android devices and flood them with malicious files and unwanted apps.

Kaspersky points out that threat actors uploading clean apps with seemingly benign code and later updating them with malicious code can make it difficult for Google and users to identify and figure out if an app is safe or not.

"The Ztorg Trojan continues to appear on the Google Play Store, accompanied by new tricks to bypass security and infect as many different Android devices and OS versions as possible," Unuchek said. "Even if a victim downloads what is clearly a clean app, there is no guarantee that it will still be clean in a few days' time. Users, Google and security researchers need to remain vigilant at all times and to be proactive about protection."