Ztorg_Trojan


Thankfully Google has detected and deleted these Apps from Google Play Store!

The lethal Trojan Ztorg has yet again made it to the headlines. As per reports, malicious actors are using this malware to gain monetary benefits like never before, not to forget that there are now over ninety new ways to earn illegal profits through this app. Google had recently detected and removed two Apps namely “Magic Browser” and “Noise Detector’’ that was infected with the Ztorg trojan. In order to stay low in the radar, the apps were uploaded clean initially but later it was updated with Ztorg with the help of malware tool kit.

The past of Ztorg Trojan

As far as the past usage of Ztorg is concerned, it has been used several times by malicious actors in order to gain monetary gains. Back in September 2016, a major Russian information security company had detected the Ztorg malware toolkit embedded in the Guide of the famous location based augmented reality game called Pokemon Go. According to researchers the guide was downloaded at least 500,000 times by users further amounting to a total of approximately 6000 infections in various devices. After this incident was brought to the light there have been several attempts by malicious actors to infect the devices of innocent users with this malware. The capabilities of Ztorg are also constantly modified making it more effective and lethal further shedding light on the evolving capabilities of this malware.  Infact, there have been numerous apps carrying the Ztorg malware toolkit that have been detected and removed by Google from the Google Play Store in the recent past.

About the Malicious Apps “Magic Browser” and “Noise Detector” Mounted with the Ztorg Trojan

The two apps that was detected and removed from Google Play is said to have quite a bit of advanced features. As mentioned above in this article there is about 90 ways through which malicious actors can earn monetary gains by embedding Ztorg Trojan in apps. One of the most talked about ways which might have helped the bad guys from earning a considerable amount of money is through Premium Rate SMS. It has been noted that the bad guys must have used the Ztorg Trojan to leverage Premium Rate SMS system that could have benefited the malicious actors by leaps and bounds.

Technical Details & Capabilities of Ztorg—How does Ztorg unleashes its Venom to capture mobile handset details to trap the users to use the vicious Premium Rate SMS system

Once the mobile phone of the user is infected by the Trojan that comes with the apps it has been observed that it stays dormant for precisely 10 minutes. The Trojan Ztorg is programmed to capture the phone’s International Mobile Subscriber Identity (IMSI) and sends it to C&C servers. The first five digits of the IMSI number allows the malicious actors to detect the country and the mobile network service provider to which he/she is connected to.  This information is more than enough to figure out whether a Premium Rate SMS service is available for the affected user. Once it has been established that the service is available for the user the Trojan starts donating funds through the Premium Rate SMS system which eventually ends up in the accounts of the bad guys. In order to trick the affected user the Ztorg Trojan also deletes any incoming text messages from the mobile operator that points out to the fact that the funds were transferred.

Don’t leave yourself exposed. Find your vulnerabilities before cybercriminals do. Contact us for Vulnerability Assessment and Penetration Testing.

Details
Date Published
June 21, 2017