Attackers try to sneak a Ztorg Trojan onto Google Play by wrapping it in another one

Kaspersky Lab experts have discovered Ztorg apps on the Google Play Store that appear to show cybercriminals trying different ways to get their malware past security – in this case by installing their malicious code in stages and wrapping a Trojan SMS around an encrypted rooting Trojan.

The attackers used the Trojan SMS to make money from victims through Premium-rate SMS while they waited to execute the rooting Trojan. The apps were downloaded more than 50,000 times since mid-May, 2017, but have now been removed from Google Play.

The determination of cybercriminals to infect Android devices with Ztorg malware through the Google Play Store shows no signs of slowing down, with attackers constantly adapting their tools and techniques to avoid discovery.

In May 2017, Kaspersky Lab researchers discovered what appeared to be a standalone Ztorg variant, a Trojan SMS. On closer inspection, it turned out to contain an encrypted Ztorg rooting Trojan. The Ztorg SMS was found in two apps, a browser and a “noise detection” application.

The browser app, which was downloaded 50,000 times, was uploaded to Google Play on 15 May, and never updated – possibly because it was a test run to see if the functionality worked.

The researchers were able to make a more detailed study of the “noise detection” app, uploaded on 20 May and installed more than 10,000 times before being deleted by Google. Their analysis suggests the cybercriminals’ ultimate aim was to execute a regular version of the Ztorg Trojan.

But since they had opted for a stage-by-stage approach involving a series of clean and then malicious updates, they added some supplementary malicious functionality to make money while they were waiting to run the rooting malware.

The Ztorg SMS functionality allows the app to send premium rate SMS, delete incoming SMS and switch off sound.

“The Ztorg Trojan continues to appear on the Google Play Store, accompanied by new tricks to bypass security and infect as many different Android devices and OS versions as possible. Even if a victim downloads what is clearly a clean app, there is no guarantee that it will still be clean in a few days’ time. Users, Google and security researchers need to remain vigilant at all times and to be proactive about protection,” said Roman Unuchek, Senior Malware Analyst, Kaspersky Lab.

Kaspersky Lab advises users to install a reliable security solution, such as Kaspersky Internet Security for Android, on their device, always check that apps have been created by a reputable developer, to keep their OS and application software up-to-date, and not to download anything that looks at all suspicious or whose source cannot be verified.