Ztorg malware hid in Google Play to send premium-rate SMS texts, delete incoming SMS messages

Fake apps with same functionality found in non-official Android app marketplaces.

David bisson
David Bisson

Ztorg malware hid in Google Play to send premium-rate SMS texts, delete incoming SMS messages

The Ztorg malware hid in apps on Google’s Play Store to send premium-rate SMS texts and delete incoming SMS messages on Android devices.

In the second half of May 2017, Kaspersky Lab analyst Roman Unuchek came across two malicious apps on Google’s Play Store.

The apps, called “Magic Browser” and “Noise Detector,” have a combined total of 60,000 user installations. What’s interesting about these apps is that they don’t conceal Ztorg in its traditional device-rooting form. Instead they hide an SMS-based version of the threat.

Sign up to our free newsletter.
Security news, advice, and tips.
Magic browser
Trojan-SMS.AndroidOS.Ztorg.a on Google Play Store. (Source: Kaspersky Lab)

So what do these malicious apps do?

After a user installs them, the apps wait 10 minutes before connecting to their command-and-control (C&C) server. They then make two GET requests, the first of which includes the first three digits of the Android device’s International Mobile Subscriber Identity (IMSI). If the trojan receives data from the server, it responds with its second GET request containing the first five digits of the IMSI.

Unuchek explains the significance of this technique:

“The interesting thing about the IMSI is that the first three digits are the MCC (mobile country code) and the third and fourth digits are the MNC (mobile network code). Using these digits, the cybercriminals can identify the country and mobile operator of the infected user. They need this to choose which premium rate SMS should be sent.”

Following these requests, the trojan receives a JSON file of “offers” carrying a string field called “url.” Some of these “url” fields actually contain a URL, in which case Ztorg displays content to the user. In the event the field carries a “SMS” substring, it sends an SMS message to the number provided, turns off the device sound, and starts blocking all incoming SMS text messages.

Malicious code where the Trojan decides if it should send an SMS. (Source: Kaspersky Lab)

These attack-generated text messages mainly go to premium-rate SMS services. But some of them go elsewhere. Unuchek discovered this variation while analyzing malicious apps with the same functionality distributed outside Google’s Play Store:

“I downloaded several JS files, using different MCC’s, to find out what cybercriminals are going to do with users from a different countries. I wasn’t able to get a file for a US MCC, but for other countries that I tried I received files with some functions. All the files contain a function called “getAocPage” which most likely references AoC – Advice of Charge. After analyzing these files, I found out that their main purpose is to perform clickjacking attacks on web pages with WAP billing. In doing so, the Trojan can steal money from the user’s mobile account.”

All things considered, Ztorg’s SMS-based variant doesn’t compare with other Android threats that inject code into system runtime libraries, use phishing overlays to steal banking credentials, and enlist devices into a botnet. But it’s still a malicious program, one that can cost users a lot of money.

With that said, Android users should protect themselves by installing apps only from trusted developers on the Google Play Store. They should also keep an anti-virus solution installed on their devices and not click on any suspicious SMS-based links.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.