The Ztorg malware hid in apps on Google’s Play Store to send premium-rate SMS texts and delete incoming SMS messages on Android devices.
In the second half of May 2017, Kaspersky Lab analyst Roman Unuchek came across two malicious apps on Google’s Play Store.
The apps, called “Magic Browser” and “Noise Detector,” have a combined total of 60,000 user installations. What’s interesting about these apps is that they don’t conceal Ztorg in its traditional device-rooting form. Instead they hide an SMS-based version of the threat.
So what do these malicious apps do?
After a user installs them, the apps wait 10 minutes before connecting to their command-and-control (C&C) server. They then make two GET requests, the first of which includes the first three digits of the Android device’s International Mobile Subscriber Identity (IMSI). If the trojan receives data from the server, it responds with its second GET request containing the first five digits of the IMSI.
Unuchek explains the significance of this technique:
“The interesting thing about the IMSI is that the first three digits are the MCC (mobile country code) and the third and fourth digits are the MNC (mobile network code). Using these digits, the cybercriminals can identify the country and mobile operator of the infected user. They need this to choose which premium rate SMS should be sent.”
Following these requests, the trojan receives a JSON file of “offers” carrying a string field called “url.” Some of these “url” fields actually contain a URL, in which case Ztorg displays content to the user. In the event the field carries a “SMS” substring, it sends an SMS message to the number provided, turns off the device sound, and starts blocking all incoming SMS text messages.
These attack-generated text messages mainly go to premium-rate SMS services. But some of them go elsewhere. Unuchek discovered this variation while analyzing malicious apps with the same functionality distributed outside Google’s Play Store:
“I downloaded several JS files, using different MCC’s, to find out what cybercriminals are going to do with users from a different countries. I wasn’t able to get a file for a US MCC, but for other countries that I tried I received files with some functions. All the files contain a function called “getAocPage” which most likely references AoC – Advice of Charge. After analyzing these files, I found out that their main purpose is to perform clickjacking attacks on web pages with WAP billing. In doing so, the Trojan can steal money from the user’s mobile account.”
All things considered, Ztorg’s SMS-based variant doesn’t compare with other Android threats that inject code into system runtime libraries, use phishing overlays to steal banking credentials, and enlist devices into a botnet. But it’s still a malicious program, one that can cost users a lot of money.
With that said, Android users should protect themselves by installing apps only from trusted developers on the Google Play Store. They should also keep an anti-virus solution installed on their devices and not click on any suspicious SMS-based links.