Saturday, June 15, 2024

Dangerous apps with Rooting Trojan “Ztorg” found in Google Play Store that can delete all incoming SMS

A couple of malicious apps distributed on Google play store with rooting Trojan Ztorg and it also has Trojan-SMS functionality. Trojan-SMS can send Premium rate SMS and destroy incoming SMS.

There is no surprise now to see a malicious app in Google play store, recently we heard about Xavier and Judy which infects Millions of users.

Kaspersky Lab products recognize the two Trojan applications (Magic browser, Noise Detector) as Trojan-SMS.AndroidOS.Ztorg.a and they reported to Google and now it has been removed.

Dangerous apps with Rooting Trojan "Ztorg" found in Google Play Store

Also read Dangerous Malware detected that is capable of Controlling Electric Power Systems

The App Magic browser found uploaded in Google play store on May 15, 2017, and downloaded for more than 50,000 times. Another app with same functionality founded downloaded more than 10,000 times.

Execution Flow

Security Expert Roman Unuchek from Kaspersky Labs found an interesting behavior with the Trojan in establishing the connection with Command and control servers.

It makes two requests and in both requests, it looks for IMEI number. The first request looks for three digits and if it succeeds second request look’s for First five digits.

GET, where 250 – first three digits of the IMSI.

GET, where 25001 – first five digits of the IMSI.

As we aware the first three digits indicate Mobile country code and the next two digits indicates mobile network code.With this information, attackers can find user country and mobile operator, according to this information they will select premium rate SMS.

Also read Dvmap – First Ever Android Rooting Malware with Code Injection Capabilities

Answering to the request Trojan will receive encrypted JSON includes a list of offers carries a string field called URL which may or may not have the original URL if it is an  “SMS” substring it will send the message to the number it contains.

If it is an URL it shows in the User screen, neither SMS or URL to Visit then the Trojan Mute the device and delete all the incoming messages.

In a Further examination, Roman revealed that these Trojans were introduced by a standard Ztorg Trojan alongside other Ztorg modules.

Security Expert Roman Says "After analyzing these files, I found out that their
main purpose is to perform clickjacking attacks on web pages with WAP billing. In
doing so, the Trojan can steal money from the user’s mobile account.To hide these
activities the Trojans turn off the device sound and delete all incoming SMS.
WAP billing works in a similar way to Premium rate SMS, but usually in the form of
subscriptions and not one-time payments as most Premium rate SMS".


Experts assume that the malicious app “Magic browser” uploaded to examine that the attackers can upload malicious app into the Google store.

But this is not the case with “Noise Detector” on May 20th they upload a clean app and after few days they replaced it again with the clean version.

After some days they uploaded a new version that consists of encrypted trojan Ztorg and on the same date, a final update made which includes Trojan-SMS functionality.Still, the app didn’t add the possibility of decrypting or to execute the encrypted Ztorg module.

Roman says"I think that the authors are still testing this malware because they
use some techniques which can break the infected devices".

Also read Malicious Android ads leads to Automatically Download and Install Apps that Contain Malware in Android Devices


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles