Malware hidden in Google Play steals money through SMSs

Johannesburg - Cybercriminals are now trying different ways to get their malware past security. The latest of these is to install malicious code in stages by wrapping a Trojan SMS around an encrypted rooting Trojan.

The determination of attackers to infect Android devices with Ztorg malware through the Google Play Store shows no signs of slowing down, with criminals constantly adapting their tools and techniques to avoid discovery. 

The attackers use the Ztorg-Android malware Trojan SMS to make money from victims through Premium-rate SMS while they wait to execute the rooting Trojan. 

The apps have been downloaded more than 50 000 times since mid-May 2017, but have now been removed from Google Play.

READ: Cybercriminals focusing on data-rich smartphones

In May 2017, Kaspersky Lab researchers discovered what appeared to be a standalone Ztorg variant, a Trojan SMS. 

On closer inspection, it turned out to contain an encrypted Ztorg rooting Trojan. 

The Ztorg SMS was found in two apps, a browser and a “noise detection” application.

The browser app was uploaded to Google Play on May 15 and never updated – possibly because it was a test run to see if the functionality worked.

The researchers were able to make a more detailed study of the “noise detection” app, uploaded on May 20 and installed more than 10 000 times before being deleted by Google. 

Their analysis suggests the cybercriminals’ ultimate aim was to execute a regular version of the Ztorg Trojan. 

READ: Half of online theft victims get money back - research

But since they had opted for a stage-by-stage approach involving a series of clean and then malicious updates, they added some supplementary malicious functionality to make money while they were waiting to run the rooting malware.

The Ztorg SMS functionality allows the app to send premium rate SMSs, delete incoming SMSs and switch off sound.

“The Ztorg Trojan continues to appear on the Google Play Store, accompanied by new tricks to bypass security and infect as many different Android devices and OS versions as possible. 

"Even if a victim downloads what is clearly a clean app, there is no guarantee that it will still be clean in a few days’ time. Users, Google and security researchers need to remain vigilant at all times and to be proactive about protection,” said Roman Unuchek, Senior Malware Analyst, Kaspersky Lab. 

Kaspersky Lab advises users to install a reliable security solution on their device, always check that apps have been created by a reputable developer, keep their OS and application software up to date, and not to download anything that looks at all suspicious or whose source cannot be verified.

All Kaspersky Lab products detect the Trojan as Trojan-SMS.AndroidOS.Ztorg.a.

Read Fin24's top stories trending on Twitter:

Brent Crude
All Share
Top 40
Financial 15
Industrial 25
Resource 10
All JSE data delayed by at least 15 minutes morningstar logo
Company Snapshot
Voting Booth
Please select an option Oops! Something went wrong, please try again later.
I'm not really directly affected
18% - 2050 votes
I am taking a hit, but should be able to recover in the next year
23% - 2667 votes
My finances have been devastated
35% - 4001 votes
It's still too early to know what the full effect will be
25% - 2869 votes