A couple of malicious apps distributed on Google play store with rooting Trojan Ztorg and it also has Trojan-SMS functionality. Trojan-SMS can send Premium rate SMS and destroy incoming SMS.

There is no surprise now to see a malicious app in Google play store, recently we heard about Xavier and Judy which infects Millions of users.

Kaspersky Lab products recognize the two Trojan applications (Magic browser, Noise Detector) as Trojan-SMS.AndroidOS.Ztorg.a and they reported to Google and now it has been removed.

Dangerous apps with Rooting Trojan "Ztorg" found in Google Play Store

Also read Dangerous Malware detected that is capable of Controlling Electric Power Systems

The App Magic browser found uploaded in Google play store on May 15, 2017, and downloaded for more than 50,000 times. Another app with same functionality founded downloaded more than 10,000 times.

Execution Flow

Security Expert Roman Unuchek from Kaspersky Labs found an interesting behavior with the Trojan in establishing the connection with Command and control servers.

It makes two requests and in both requests, it looks for IMEI number. The first request looks for three digits and if it succeeds second request look’s for First five digits.

GET c.phaishey.com/ft/x250_c.txt, where 250 – first three digits of the IMSI.

GET c.phaishey.com/ft/x25001_0.txt, where 25001 – first five digits of the IMSI.

As we aware the first three digits indicate Mobile country code and the next two digits indicates mobile network code.With this information, attackers can find user country and mobile operator, according to this information they will select premium rate SMS.

Also read Dvmap – First Ever Android Rooting Malware with Code Injection Capabilities

Answering to the request Trojan will receive encrypted JSON includes a list of offers carries a string field called URL which may or may not have the original URL if it is an  “SMS” substring it will send the message to the number it contains.

If it is an URL it shows in the User screen, neither SMS or URL to Visit then the Trojan Mute the device and delete all the incoming messages.

In a Further examination, Roman revealed that these Trojans were introduced by a standard Ztorg Trojan alongside other Ztorg modules.

Security Expert Roman Says "After analyzing these files, I found out that their 
main purpose is to perform clickjacking attacks on web pages with WAP billing. In
doing so, the Trojan can steal money from the user’s mobile account.To hide these
activities the Trojans turn off the device sound and delete all incoming SMS.
WAP billing works in a similar way to Premium rate SMS, but usually in the form of 
subscriptions and not one-time payments as most Premium rate SMS".

Functionalities

Experts assume that the malicious app “Magic browser” uploaded to examine that the attackers can upload malicious app into the Google store.

But this is not the case with “Noise Detector” on May 20th they upload a clean app and after few days they replaced it again with the clean version.

After some days they uploaded a new version that consists of encrypted trojan Ztorg and on the same date, a final update made which includes Trojan-SMS functionality.Still, the app didn’t add the possibility of decrypting or to execute the encrypted Ztorg module.

Roman says"I think that the authors are still testing this malware because they
use some techniques which can break the infected devices".

Also read Malicious Android ads leads to Automatically Download and Install Apps that Contain Malware in Android Devices