Friday, March 29, 2024

Dangerous apps with Rooting Trojan “Ztorg” found in Google Play Store that can delete all incoming SMS

A couple of malicious apps distributed on Google play store with rooting Trojan Ztorg and it also has Trojan-SMS functionality. Trojan-SMS can send Premium rate SMS and destroy incoming SMS.

There is no surprise now to see a malicious app in Google play store, recently we heard about Xavier and Judy which infects Millions of users.

Kaspersky Lab products recognize the two Trojan applications (Magic browser, Noise Detector) as Trojan-SMS.AndroidOS.Ztorg.a and they reported to Google and now it has been removed.

Dangerous apps with Rooting Trojan "Ztorg" found in Google Play Store

Also read Dangerous Malware detected that is capable of Controlling Electric Power Systems

The App Magic browser found uploaded in Google play store on May 15, 2017, and downloaded for more than 50,000 times. Another app with same functionality founded downloaded more than 10,000 times.

Execution Flow

Security Expert Roman Unuchek from Kaspersky Labs found an interesting behavior with the Trojan in establishing the connection with Command and control servers.

It makes two requests and in both requests, it looks for IMEI number. The first request looks for three digits and if it succeeds second request look’s for First five digits.

GET c.phaishey.com/ft/x250_c.txt, where 250 – first three digits of the IMSI.

GET c.phaishey.com/ft/x25001_0.txt, where 25001 – first five digits of the IMSI.

As we aware the first three digits indicate Mobile country code and the next two digits indicates mobile network code.With this information, attackers can find user country and mobile operator, according to this information they will select premium rate SMS.

Also read Dvmap – First Ever Android Rooting Malware with Code Injection Capabilities

Answering to the request Trojan will receive encrypted JSON includes a list of offers carries a string field called URL which may or may not have the original URL if it is an  “SMS” substring it will send the message to the number it contains.

If it is an URL it shows in the User screen, neither SMS or URL to Visit then the Trojan Mute the device and delete all the incoming messages.

In a Further examination, Roman revealed that these Trojans were introduced by a standard Ztorg Trojan alongside other Ztorg modules.

Security Expert Roman Says "After analyzing these files, I found out that their
main purpose is to perform clickjacking attacks on web pages with WAP billing. In
doing so, the Trojan can steal money from the user’s mobile account.To hide these
activities the Trojans turn off the device sound and delete all incoming SMS.
WAP billing works in a similar way to Premium rate SMS, but usually in the form of
subscriptions and not one-time payments as most Premium rate SMS".

Functionalities

Experts assume that the malicious app “Magic browser” uploaded to examine that the attackers can upload malicious app into the Google store.

But this is not the case with “Noise Detector” on May 20th they upload a clean app and after few days they replaced it again with the clean version.

After some days they uploaded a new version that consists of encrypted trojan Ztorg and on the same date, a final update made which includes Trojan-SMS functionality.Still, the app didn’t add the possibility of decrypting or to execute the encrypted Ztorg module.

Roman says"I think that the authors are still testing this malware because they
use some techniques which can break the infected devices".

Also read Malicious Android ads leads to Automatically Download and Install Apps that Contain Malware in Android Devices

Website

Latest articles

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles