Johannesburg - Cybercriminals are now trying different ways to get their malware past security. The latest of these is to install malicious code in stages by wrapping a Trojan SMS around an encrypted rooting Trojan.
The determination of attackers to infect Android devices with Ztorg malware through the Google Play Store shows no signs of slowing down, with criminals constantly adapting their tools and techniques to avoid discovery.
The attackers use the Ztorg-Android malware Trojan SMS to make money from victims through Premium-rate SMS while they wait to execute the rooting Trojan.
The apps have been downloaded more than 50 000 times since mid-May 2017, but have now been removed from Google Play.
In May 2017, Kaspersky Lab researchers discovered what appeared to be a standalone Ztorg variant, a Trojan SMS.
On closer inspection, it turned out to contain an encrypted Ztorg rooting Trojan.
The Ztorg SMS was found in two apps, a browser and a “noise detection” application.
The browser app was uploaded to Google Play on May 15 and never updated – possibly because it was a test run to see if the functionality worked.
The researchers were able to make a more detailed study of the “noise detection” app, uploaded on May 20 and installed more than 10 000 times before being deleted by Google.
Their analysis suggests the cybercriminals’ ultimate aim was to execute a regular version of the Ztorg Trojan.
But since they had opted for a stage-by-stage approach involving a series of clean and then malicious updates, they added some supplementary malicious functionality to make money while they were waiting to run the rooting malware.
The Ztorg SMS functionality allows the app to send premium rate SMSs, delete incoming SMSs and switch off sound.
“The Ztorg Trojan continues to appear on the Google Play Store, accompanied by new tricks to bypass security and infect as many different Android devices and OS versions as possible.
"Even if a victim downloads what is clearly a clean app, there is no guarantee that it will still be clean in a few days’ time. Users, Google and security researchers need to remain vigilant at all times and to be proactive about protection,” said Roman Unuchek, Senior Malware Analyst, Kaspersky Lab.
Kaspersky Lab advises users to install a reliable security solution on their device, always check that apps have been created by a reputable developer, keep their OS and application software up to date, and not to download anything that looks at all suspicious or whose source cannot be verified.
All Kaspersky Lab products detect the Trojan as Trojan-SMS.AndroidOS.Ztorg.a.
Read Fin24's top stories trending on Twitter: